{"ip":"34.101.45.12","exported_at":"2026-06-18T06:42:19+00:00","period_days":30,"metrics":{"events7d":854,"distinct_ports":1,"distinct_classifications":4,"max_severity":7,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":59,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["ddos"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":8,"classification":80,"behavior":0,"geo":40,"protocol":33,"novelty":25},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"T1499","top_mitre_technique":"T1499","top_mitre_count":775,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":80,"behavior":0,"geo":40,"protocol":33,"novelty":25,"risk_score":59},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["MITRE-T1499","Upstream"],"tags_summary":["MITRE-T1499","INT-upstream"],"attack_vector":"http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)","protocol_details":{"payload_preview":"GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK","port":9443,"service":"https","service_label_fr":"HTTPS"},"protocol_summary_fr":"Payload GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser\u2026 \u00b7 HTTPS:9443","evidence_snippet":"GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK","target_port_label":"9443 \u00b7 HTTPS","emulator_service":"https","confidence_reason":"Confiance 100 % \u2014 6 signal(aux) capteur","classification_reason":"Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%","classification_reason_label_fr":"Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 8","payload_preview":"GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK"},"events":[{"id":8881090,"ip":"34.101.45.12","ts":"2026-06-14 11:30:16.000000","proto":"tcp","src_port":43234,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 269, \u0022payload_entropy\u0022: 5.396072125377945, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f170ecb2c34f5ec575ce43b563c7924f\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/sendgrid.config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb\u0022, \u0022request_sample\u0022: \u0022GET \/sendgrid.config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnecti\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid.config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/sendgrid.config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnecti\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid.config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221e4db1333059fa3d03346f9ea7370b9956a864d9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/sendgrid.config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid.config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/sendgrid.config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid.config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 6 Pro) AppleWeb\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":269},{"id":8881091,"ip":"34.101.45.12","ts":"2026-06-14 11:30:16.000000","proto":"tcp","src_port":43246,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 255, \u0022payload_entropy\u0022: 5.391762746745234, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228ab755eaa142fbb1b82749c56154af85\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/mail\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6\u0022, \u0022request_sample\u0022: \u0022GET \/mail\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/mail\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/mail\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/mail\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a00d107746813fb2536cceb7784564ddc302bdcc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/mail\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/mail\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/mail\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/mail\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/6\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":255},{"id":8881092,"ip":"34.101.45.12","ts":"2026-06-14 11:30:16.000000","proto":"tcp","src_port":43236,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 270, \u0022payload_entropy\u0022: 5.4244686055237725, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002203adfd47b24f4627301eb4f91562a2a3\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/email\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022request_sample\u0022: \u0022GET \/email\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/65.0.3325.181 Chrome\/65.0.3325.181 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnect\u0022, \u0022payload_snippet\u0022: \u0022GET \/email\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/email\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/65.0.3325.181 Chrome\/65.0.3325.181 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnect\u0022, \u0022payload_snippet\u0022: \u0022GET \/email\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022663dca15debd448908c54c8df2df931a07928949\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/email\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/email\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/email\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/email\/sendgrid.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":270},{"id":8881093,"ip":"34.101.45.12","ts":"2026-06-14 11:30:16.000000","proto":"tcp","src_port":43226,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 254, \u0022payload_entropy\u0022: 5.430263991642739, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b14325ecf20b33c51eeeff6b686df82a\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.\u0022, \u0022request_sample\u0022: \u0022GET \/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a2d48f2aa992d5c05df96c26bfb25017624a08d8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit\/537.\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":254},{"id":8881094,"ip":"34.101.45.12","ts":"2026-06-14 11:30:16.000000","proto":"tcp","src_port":43260,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 258, \u0022payload_entropy\u0022: 5.423799624775903, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e4adbdb36741a1f09480bb1ee1b27768\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/sendgrid.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 \u0022, \u0022request_sample\u0022: \u0022GET \/sendgrid.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/sendgrid.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022879a32809e800f8722234ab0d059cf2d552a54eb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/sendgrid.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/sendgrid.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Moto Z3 Play) AppleWebKit\/537.36\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":258},{"id":8881095,"ip":"34.101.45.12","ts":"2026-06-14 11:30:16.000000","proto":"tcp","src_port":43248,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.482440473181827, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d6632c38bcd13723b7f280ccdf079085\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML\u0022, \u0022request_sample\u0022: \u0022GET \/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a20c5650d74a82d2a5f40efdc4b2e7aa3d4c98e8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":243},{"id":8881096,"ip":"34.101.45.12","ts":"2026-06-14 11:30:16.000000","proto":"tcp","src_port":43276,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 246, \u0022payload_entropy\u0022: 5.377973218438614, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222a41546cd059fa3b44f30c4c7daba817\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/config\/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li\u0022, \u0022request_sample\u0022: \u0022GET \/config\/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/config\/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a942e0776506f15b273ecf3f4a131911e8838b22\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/config\/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config\/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/config\/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config\/sendgrid.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN9) AppleWebKit\/534.13 (KHTML, li\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":246},{"id":8881097,"ip":"34.101.45.12","ts":"2026-06-14 11:30:16.000000","proto":"tcp","src_port":43300,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 281, \u0022payload_entropy\u0022: 5.403972253622371, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002255774e8e7f902ac020a786d4fe799d91\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/config\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K\u0022, \u0022request_sample\u0022: \u0022GET \/config\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gz\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/config\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gz\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227855ddd7459f854198326cc8428a28a24954b795\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/config\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/config\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292K\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":281},{"id":8881098,"ip":"34.101.45.12","ts":"2026-06-14 11:30:16.000000","proto":"tcp","src_port":43284,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.423139858141907, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b6baf918174bd1d8ca4a079be3e03293\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/mailer\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3\u0022, \u0022request_sample\u0022: \u0022GET \/mailer\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/mailer\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/mailer\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/mailer\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b96c8ae9be54180215b26ae270f2f0cbcd4fd65c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/mailer\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/mailer\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/mailer\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/mailer\/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973U) AppleWebKit\/537.3\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":260},{"id":8881099,"ip":"34.101.45.12","ts":"2026-06-14 11:30:16.000000","proto":"tcp","src_port":43312,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 215, \u0022payload_entropy\u0022: 5.323684671157448, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022328d172c6aee6caba51c5948dd1b9764\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/config\/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/\u0022, \u0022request_sample\u0022: \u0022GET \/config\/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (like Gecko)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/config\/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (like Gecko)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a01246cf5bd32fc62132c45419684e412d31fd36\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/config\/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config\/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/config\/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config\/sendgrid.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":215},{"id":8881100,"ip":"34.101.45.12","ts":"2026-06-14 11:30:16.000000","proto":"tcp","src_port":43286,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.4121218097150745, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226767ce2affa54a6e8ef61e19c2f51962\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3\u0022, \u0022request_sample\u0022: \u0022GET \/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a67b0e699e8647d89f49de9a3f86d12d4c602182\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.3\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":252},{"id":8881101,"ip":"34.101.45.12","ts":"2026-06-14 11:30:16.000000","proto":"tcp","src_port":43288,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 259, \u0022payload_entropy\u0022: 5.418093434516608, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002228784d21fa66ec8f3526044f730530a3\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/sendgrid-config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK\u0022, \u0022request_sample\u0022: \u0022GET \/sendgrid-config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid-config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/sendgrid-config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid-config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002291ae21735c11e2166bd984c203fe9a6369c6db3c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/sendgrid-config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid-config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/sendgrid-config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid-config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebK\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":259},{"id":8880995,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42282,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 255, \u0022payload_entropy\u0022: 5.463911708741532, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227ea36e8c94df8951a382dad34558003e\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/wp-config.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH\u0022, \u0022request_sample\u0022: \u0022GET \/wp-config.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp-config.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/wp-config.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp-config.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223e4381dd40c18c5054179d32c730e9d788731006\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/wp-config.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/wp-config.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/wp-config.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/wp-config.bak HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505FN) AppleWebKit\/537.36 (KH\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":255},{"id":8880996,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42298,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 199, \u0022payload_entropy\u0022: 5.240647954725722, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cbfd075d79c49e90bf5931bc85b0ea45b7d3b839\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e5e0fceede633de1ab9bbc0aa1291666\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/wp-config.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.\u0022, \u0022request_sample\u0022: \u0022GET \/wp-config.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp-config.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/wp-config.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp-config.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223d1b1588545b42dc492c162191805e3e504e5fe4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/wp-config.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/wp-config.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/wp-config.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/wp-config.txt HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":199},{"id":8880997,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42302,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 255, \u0022payload_entropy\u0022: 5.4018853861598135, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c2a94cf707bb59074c81b020bce3fc0f\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/local-config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5\u0022, \u0022request_sample\u0022: \u0022GET \/local-config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/local-config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/local-config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/local-config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a2515ffc6e388c23363b825c8e7ed7d42141cbf2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/local-config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/local-config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/local-config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/local-config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":255},{"id":8880998,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42310,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 257, \u0022payload_entropy\u0022: 5.441278873645036, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b02a09f781e562a260a2dd1251dd1c50\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/bootstrap\/cache\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\u0022, \u0022request_sample\u0022: \u0022GET \/bootstrap\/cache\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/bootstrap\/cache\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/bootstrap\/cache\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/bootstrap\/cache\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cd7198b7d945501cab40688b87f74a04608f464e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/bootstrap\/cache\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/bootstrap\/cache\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/bootstrap\/cache\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/bootstrap\/cache\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":257},{"id":8880999,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42326,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 265, \u0022payload_entropy\u0022: 5.4158066518765, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e9cfe9c9a2dd9a925c723ea588edbab5\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/app\/config\/parameters.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple\u0022, \u0022request_sample\u0022: \u0022GET \/app\/config\/parameters.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: \u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/config\/parameters.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/app\/config\/parameters.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: \u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/config\/parameters.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227a93ad3d19fa8dc5b11b63500f31d9775fef136c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/app\/config\/parameters.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/app\/config\/parameters.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/app\/config\/parameters.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/app\/config\/parameters.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) Apple\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":265},{"id":8881000,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42372,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 283, \u0022payload_entropy\u0022: 5.425391951472231, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022255689db64f0aaed8a73b4866739e5b5\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/app\/config\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929\u0022, \u0022request_sample\u0022: \u0022GET \/app\/config\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/config\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/app\/config\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/config\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b18ae424bcaa80de2cff13cca96d37e6107d8cbb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/app\/config\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/app\/config\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/app\/config\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/app\/config\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA929\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":283},{"id":8881001,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42384,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 221, \u0022payload_entropy\u0022: 5.306167811394413, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002202d65b6f3b2952ddcf7e064f5a3c7945\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/settings\/local.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef\u0022, \u0022request_sample\u0022: \u0022GET \/settings\/local.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Iceweasel\/6.0a2\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/settings\/local.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/settings\/local.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Iceweasel\/6.0a2\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/settings\/local.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b26f6d52f74f8844e63b798e24699caec6b89ac7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/settings\/local.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/settings\/local.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/settings\/local.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/settings\/local.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firef\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":221},{"id":8881002,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42340,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 297, \u0022payload_entropy\u0022: 5.473390906532799, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002259330300b7203e3371b2f0265eafc432\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/app\/config\/parameters.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537\u0022, \u0022request_sample\u0022: \u0022GET \/app\/config\/parameters.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.26 Safari\/537.36 Core\/1.63.5977.400 LBBROWSER\/10.1.3752.400\\r\\nAccept-Charset: utf-8\\r\\nAcc\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/config\/parameters.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/app\/config\/parameters.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.26 Safari\/537.36 Core\/1.63.5977.400 LBBROWSER\/10.1.3752.400\\r\\nAccept-Charset: utf-8\\r\\nAcc\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/config\/parameters.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f54d764ccac0e574acf6519f434c6ecec23a6f0c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/app\/config\/parameters.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/app\/config\/parameters.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/app\/config\/parameters.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/app\/config\/parameters.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":297},{"id":8881003,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42392,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 263, \u0022payload_entropy\u0022: 5.393146809261888, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b749b6fed165160c8bdaa7c891a63492\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/application\/config\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW\u0022, \u0022request_sample\u0022: \u0022GET \/application\/config\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: cl\u0022, \u0022payload_snippet\u0022: \u0022GET \/application\/config\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/application\/config\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: cl\u0022, \u0022payload_snippet\u0022: \u0022GET \/application\/config\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d178276fa25a1648779b315c3d225aedb4123cfe\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/application\/config\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/application\/config\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/application\/config\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/application\/config\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleW\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":263},{"id":8881004,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42428,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.356492593588485, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220bbc938e929e92249569598f280767ed\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/WEB-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90\u0022, \u0022request_sample\u0022: \u0022GET \/WEB-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/WEB-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/WEB-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/WEB-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227769dc27b7ee6a361f8d07f0ba4476a4f0ebc53f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/WEB-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/WEB-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/WEB-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/WEB-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":198},{"id":8881005,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42352,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 255, \u0022payload_entropy\u0022: 5.419750012661122, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002291ee11a6e2c4650311ca2cac0a4c13e9\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53\u0022, \u0022request_sample\u0022: \u0022GET \/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.80 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022892e3d03e7d8a0fe8e7c29bed271a16361e578e0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/53\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":255},{"id":8881006,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42364,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 212, \u0022payload_entropy\u0022: 5.262524981163503, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cbfd075d79c49e90bf5931bc85b0ea45b7d3b839\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022822ab7d5f841f9f995af60012eb8364c\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/project\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1\u0022, \u0022request_sample\u0022: \u0022GET \/project\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/105\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/project\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/project\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/105\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/project\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002237fc9742678fafcb04f71753916456f191ef0ddb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/project\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/project\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 51}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/project\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/project\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: BlackBerry8330\/4.3.0 Profile\/MIDP-2.0 Configuration\/CLDC-1\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":212},{"id":8881007,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42370,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 264, \u0022payload_entropy\u0022: 5.390169375123038, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b822175e91cd79d15217cf8bf492e70bb1c260b2\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022685fd30ef0593c0e429a2713065cd24d\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/storage\/logs\/laravel.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple\u0022, \u0022request_sample\u0022: \u0022GET \/storage\/logs\/laravel.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: c\u0022, \u0022payload_snippet\u0022: \u0022GET \/storage\/logs\/laravel.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/storage\/logs\/laravel.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: c\u0022, \u0022payload_snippet\u0022: \u0022GET \/storage\/logs\/laravel.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228ce8c9084f3c450d1aef6474d1b6819d44870ef7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/storage\/logs\/laravel.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/storage\/logs\/laravel.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/storage\/logs\/laravel.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/storage\/logs\/laravel.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) Apple\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022tor_exit_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022tor_exit_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":264},{"id":8881008,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42404,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 279, \u0022payload_entropy\u0022: 5.366762523997749, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225133dd60c66e7548cf87d76d82591330\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/settings\/production.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) \u0022, \u0022request_sample\u0022: \u0022GET \/settings\/production.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\u0022, \u0022payload_snippet\u0022: \u0022GET \/settings\/production.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/settings\/production.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Mobile\/15A5362a Safari\/604.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\u0022, \u0022payload_snippet\u0022: \u0022GET \/settings\/production.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228224330a2d77c853dbcb1a14ae54ed0f9918e4eb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/settings\/production.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/settings\/production.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/settings\/production.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/settings\/production.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":279},{"id":8881009,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42416,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 277, \u0022payload_entropy\u0022: 5.38410881527346, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022368e4aab40001d4b5cb91745d67c0c1a\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/core\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW\u0022, \u0022request_sample\u0022: \u0022GET \/core\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/core\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/core\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/core\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227bc0b8f8cb1dbd6e6e858f3be7ae553134832ecd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/core\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/core\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/core\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/core\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleW\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":277},{"id":8881010,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42418,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 265, \u0022payload_entropy\u0022: 5.527596702943068, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c5b2924b5d881473b96ae2e30295e204\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/WEB-INF\/web.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML\u0022, \u0022request_sample\u0022: \u0022GET \/WEB-INF\/web.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.105 Safari\/537.36 Vivaldi\/2.4.1488.38\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: \u0022, \u0022payload_snippet\u0022: \u0022GET \/WEB-INF\/web.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/WEB-INF\/web.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.105 Safari\/537.36 Vivaldi\/2.4.1488.38\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: \u0022, \u0022payload_snippet\u0022: \u0022GET \/WEB-INF\/web.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c1b68a86700927bab8bf3fba55a0df0803e51a21\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/WEB-INF\/web.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/WEB-INF\/web.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/WEB-INF\/web.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/WEB-INF\/web.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":265},{"id":8881011,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42434,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 289, \u0022payload_entropy\u0022: 5.391539878388884, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b07e846d83bf0b7ca1820967ff2afe5\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/system\/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno\u0022, \u0022request_sample\u0022: \u0022GET \/system\/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Lenovo K8 Note) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Enco\u0022, \u0022payload_snippet\u0022: \u0022GET \/system\/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/system\/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Lenovo K8 Note) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Enco\u0022, \u0022payload_snippet\u0022: \u0022GET \/system\/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c6dbbf1387d513e2c5438d9ac1ee7937b978dce6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/system\/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/system\/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/system\/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/system\/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; Leno\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":289},{"id":8881012,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42456,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.397197265792193, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002263cb2154e96685f276d55405898079dc\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK\u0022, \u0022request_sample\u0022: \u0022GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: clos\u0022, \u0022payload_snippet\u0022: \u0022GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: clos\u0022, \u0022payload_snippet\u0022: \u0022GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a18cd4798b4fdd609f664f3a7c2fab3cb4600b4d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebK\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":261},{"id":8881013,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42444,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 268, \u0022payload_entropy\u0022: 5.420473720802275, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229918402e77cb2b918089d41482e8f8a4\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.idea\/dataSources.local.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap\u0022, \u0022request_sample\u0022: \u0022GET \/.idea\/dataSources.local.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnectio\u0022, \u0022payload_snippet\u0022: \u0022GET \/.idea\/dataSources.local.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.idea\/dataSources.local.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnectio\u0022, \u0022payload_snippet\u0022: \u0022GET \/.idea\/dataSources.local.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e628648fc19746c16bd7415ecafc7160a910c9d6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.idea\/dataSources.local.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.idea\/dataSources.local.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.idea\/dataSources.local.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.idea\/dataSources.local.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_2) Ap\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":268},{"id":8881014,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42464,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 204, \u0022payload_entropy\u0022: 5.301082327558993, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220b49d1926b12fb049f41315f6738661a\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.idea\/dataSources.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride\u0022, \u0022request_sample\u0022: \u0022GET \/.idea\/dataSources.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.idea\/dataSources.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.idea\/dataSources.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident\/4.0)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.idea\/dataSources.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222dbfe3365c81e44dfe343ddf8f16bbe1907beb4f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.idea\/dataSources.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.idea\/dataSources.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.idea\/dataSources.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.idea\/dataSources.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Tride\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":204},{"id":8881015,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42478,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 255, \u0022payload_entropy\u0022: 5.342986023527013, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c3a714987e74e5f16bcb5e36624e0326\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/settings\/base.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6\u0022, \u0022request_sample\u0022: \u0022GET \/settings\/base.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/settings\/base.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/settings\/base.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1.2 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/settings\/base.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002263261eb20e018bdc4bce48aaaf9a83ee9533a127\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/settings\/base.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/settings\/base.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/settings\/base.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/settings\/base.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit\/6\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":255},{"id":8881016,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42488,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 246, \u0022payload_entropy\u0022: 5.434498773488178, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002209c1431186e67d2a1a426fd78c34aaac\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.vscode\/sftp.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM\u0022, \u0022request_sample\u0022: \u0022GET \/.vscode\/sftp.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.vscode\/sftp.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.vscode\/sftp.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.vscode\/sftp.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222548c6b057c7177925b9415b645fc4704c029f45\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.vscode\/sftp.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.vscode\/sftp.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.vscode\/sftp.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.vscode\/sftp.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTM\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":246},{"id":8881017,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42504,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 250, \u0022payload_entropy\u0022: 5.364072547665692, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226a5f203578c4205ea72f89c4d6ffc3fa\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.idea\/WebServers.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li\u0022, \u0022request_sample\u0022: \u0022GET \/.idea\/WebServers.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.idea\/WebServers.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.idea\/WebServers.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.idea\/WebServers.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fd8f1af69a0c680ead9912f9ab1c069a1c525d2a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.idea\/WebServers.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.idea\/WebServers.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.idea\/WebServers.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.idea\/WebServers.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML li\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":250},{"id":8881018,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42516,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.429178054386532, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002259456970674e91fc96c44bad87b27ee5\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.vscode\/settings.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537\u0022, \u0022request_sample\u0022: \u0022GET \/.vscode\/settings.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: clos\u0022, \u0022payload_snippet\u0022: \u0022GET \/.vscode\/settings.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.vscode\/settings.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: clos\u0022, \u0022payload_snippet\u0022: \u0022GET \/.vscode\/settings.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022781da7a431e56effabfb17f3d23c5c0c782c59d6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.vscode\/settings.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.vscode\/settings.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.vscode\/settings.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.vscode\/settings.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":261},{"id":8881019,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42512,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 259, \u0022payload_entropy\u0022: 5.39190342114953, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229e1836072cdd859e4737ea0ef08e6885\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.idea\/deployment.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK\u0022, \u0022request_sample\u0022: \u0022GET \/.idea\/deployment.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/.idea\/deployment.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.idea\/deployment.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/.idea\/deployment.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ff8644c185b4394338afb677fc253cc4d1543867\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.idea\/deployment.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.idea\/deployment.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.idea\/deployment.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.idea\/deployment.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebK\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":259},{"id":8881020,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42526,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 262, \u0022payload_entropy\u0022: 5.403658638547989, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c64bac8b3e3e853566206311d1354ae1\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.idea\/workspace.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537\u0022, \u0022request_sample\u0022: \u0022GET \/.idea\/workspace.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: clo\u0022, \u0022payload_snippet\u0022: \u0022GET \/.idea\/workspace.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.idea\/workspace.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: clo\u0022, \u0022payload_snippet\u0022: \u0022GET \/.idea\/workspace.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002251be50902de18745f0d64a62c65897d6ecdf5588\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.idea\/workspace.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.idea\/workspace.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.idea\/workspace.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.idea\/workspace.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; GM 6 d) AppleWebKit\/537\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":262},{"id":8881021,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42540,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 241, \u0022payload_entropy\u0022: 5.492442770668362, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022389839e0bb37f09a2f1c1e764cff47e7\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/META-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML \u0022, \u0022request_sample\u0022: \u0022GET \/META-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.56 Safari\/537.4\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/META-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/META-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML like Gecko) Chrome\/22.0.1229.56 Safari\/537.4\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/META-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226432e115a451c28ea90305bf31fd0ec57a66e788\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/META-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/META-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/META-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/META-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.4 (KHTML\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":241},{"id":8881022,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42552,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 258, \u0022payload_entropy\u0022: 5.436693340658309, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223e903075bf3d2b0e4522b87a69634e39\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.gitlab-ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36 \u0022, \u0022request_sample\u0022: \u0022GET \/.gitlab-ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.gitlab-ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.gitlab-ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.gitlab-ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bdbf38b51263d7081d9749dcc719b341960a1363\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.gitlab-ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.gitlab-ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.gitlab-ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.gitlab-ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; PRA-LX1) AppleWebKit\/537.36\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":258},{"id":8881023,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42556,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 275, \u0022payload_entropy\u0022: 5.504199666861561, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224684781158f015a436ee55c5c263c8d5\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/production.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5\u0022, \u0022request_sample\u0022: \u0022GET \/.github\/workflows\/production.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nCo\u0022, \u0022payload_snippet\u0022: \u0022GET \/.github\/workflows\/production.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.github\/workflows\/production.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nCo\u0022, \u0022payload_snippet\u0022: \u0022GET \/.github\/workflows\/production.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fec4bb7144048b54b4dd8873ae35c8c96169c85b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/production.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.github\/workflows\/production.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/production.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.github\/workflows\/production.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/5\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":275},{"id":8881024,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42562,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 174, \u0022payload_entropy\u0022: 5.256548416457445, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225d7a54c39cf9421e33ae6b4b572905b0b1c15fb7\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 51}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d45e12b3fb5f022eb62d02635606bce0\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/.travis.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\\r\\nAccept-Charset: utf-8\u0022, \u0022request_sample\u0022: \u0022GET \/.travis.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.travis.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\\r\\nAccept-Charset: utf-8\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.travis.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.travis.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\\r\\nAccept-Charset: utf-8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223ef77b61190530fc9fd23b8bd2baed3ac0fb2c8c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.travis.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\\r\\nAccept-Charset: utf-8\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.travis.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\\r\\nAccept-Charset: utf-8\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 51}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.travis.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\\r\\nAccept-Charset: utf-8\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.travis.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Links (2.1pre15; Linux 2.4.26 i686; 158x61)\\r\\nAccept-Charset: utf-8\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":174},{"id":8881025,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42576,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 240, \u0022payload_entropy\u0022: 5.425588863008424, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022625e587791233f6fe687dd86ef080d3bb3daac42\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002257c46d300ae4a87c0e7458ff533ec8ad\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022request_sample\u0022: \u0022GET \/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225b72e709ee5bfc6cf73175407cee5ea6f3c74d57\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022jenkins_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022jenkins_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":240},{"id":8881026,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42592,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 263, \u0022payload_entropy\u0022: 5.423150952541444, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002203947b58412005dca2bf153bc0163296\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.vscode\/launch.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5\u0022, \u0022request_sample\u0022: \u0022GET \/.vscode\/launch.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.80 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: cl\u0022, \u0022payload_snippet\u0022: \u0022GET \/.vscode\/launch.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.vscode\/launch.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.80 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: cl\u0022, \u0022payload_snippet\u0022: \u0022GET \/.vscode\/launch.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002261b84c2569bb948ee1263a024e901c2349c9795d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.vscode\/launch.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.vscode\/launch.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.vscode\/launch.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.vscode\/launch.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit\/5\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":263},{"id":8881027,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42598,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 263, \u0022payload_entropy\u0022: 5.447805243505889, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002239c3a5ac8643fd0cfae862bacdf0d9bf\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/main.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac \u0022, \u0022request_sample\u0022: \u0022GET \/.github\/workflows\/main.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac OS X; de-de) AppleWebKit\/533.17.9 (KHTML, like Gecko) Mobile\/8F190\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: cl\u0022, \u0022payload_snippet\u0022: \u0022GET \/.github\/workflows\/main.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.github\/workflows\/main.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac OS X; de-de) AppleWebKit\/533.17.9 (KHTML, like Gecko) Mobile\/8F190\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: cl\u0022, \u0022payload_snippet\u0022: \u0022GET \/.github\/workflows\/main.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e3fdea50ace184d74c3af2f1ff53a71bcbc78a46\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/main.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.github\/workflows\/main.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/main.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.github\/workflows\/main.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 4_3 like Mac\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":263},{"id":8881028,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42602,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.468799147178282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022819524bab498bdde760f8118ec28bcb0\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.vscode\/tasks.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, \u0022, \u0022request_sample\u0022: \u0022GET \/.vscode\/tasks.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.59\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/.vscode\/tasks.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.vscode\/tasks.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.59\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/.vscode\/tasks.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c01282c550d3a5af9c692a3c90e9484b53fb220d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.vscode\/tasks.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.vscode\/tasks.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.vscode\/tasks.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.vscode\/tasks.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":260},{"id":8881029,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42604,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 264, \u0022payload_entropy\u0022: 5.411652175260553, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc3e37af13d7b5016a9d426e6d9b087d328253b0\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002244e1e62bd2ea53df4c309ee8057bdbf4\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.circleci\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/\u0022, \u0022request_sample\u0022: \u0022GET \/.circleci\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: c\u0022, \u0022payload_snippet\u0022: \u0022GET \/.circleci\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.circleci\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: c\u0022, \u0022payload_snippet\u0022: \u0022GET \/.circleci\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022373c87db8ddb7387ae2c62f9d05d954bfb67c028\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.circleci\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.circleci\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.circleci\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.circleci\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G935F) AppleWebKit\/\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022redis_config_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":264},{"id":8881030,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42614,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 269, \u0022payload_entropy\u0022: 5.461660375252798, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bdb5533af567036530a6f5928df63f5f\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.drone.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb\u0022, \u0022request_sample\u0022: \u0022GET \/.drone.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.107 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnecti\u0022, \u0022payload_snippet\u0022: \u0022GET \/.drone.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.drone.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.107 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnecti\u0022, \u0022payload_snippet\u0022: \u0022GET \/.drone.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226a1d391b51d5f913aebe42be7402ef81f845b249\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.drone.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.drone.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.drone.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.drone.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Nexus 6P Build\/N2G48C) AppleWeb\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":269},{"id":8881031,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42628,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 272, \u0022payload_entropy\u0022: 5.450612407184423, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022aae507a7089a5706c72de61a321a046b\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/.drone.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl\u0022, \u0022request_sample\u0022: \u0022GET \/.drone.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConne\u0022, \u0022payload_snippet\u0022: \u0022GET \/.drone.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/.drone.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConne\u0022, \u0022payload_snippet\u0022: \u0022GET \/.drone.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d5e1c7599f23fca60466aafc64895c9a700d2adc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.drone.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.drone.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/.drone.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.drone.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) Appl\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":272},{"id":8881032,"ip":"34.101.45.12","ts":"2026-06-14 11:30:15.000000","proto":"tcp","src_port":42640,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 258, \u0022payload_entropy\u0022: 5.384361652459085, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022ID\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae\u0022, \u0022event_fingerprint\u0022: \u0022fb2cae5b6b97540dd8affff2f1b0a66ca956efc9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 147, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022ID\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002294c564b275121e10fc46930e0e51a1d8\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/bitbucket-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW\u0022, \u0022request_sample\u0022: \u0022GET \/bitbucket-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/bitbucket-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/bitbucket-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Reeder\/3.2 Safari\/605.1.15\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/bitbucket-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220c5b6c29507efea07e319062eca021f37b2976b9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/bitbucket-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/bitbucket-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/bitbucket-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/bitbucket-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleW\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_flood\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":258}],"total_events":854}