{"ip":"34.39.181.210","exported_at":"2026-06-18T13:14:30+00:00","period_days":30,"metrics":{"events7d":0,"distinct_ports":0,"distinct_classifications":0,"max_severity":null,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":70,"attack_stage":"exploit_attempt","attack_chain_stage":null,"threat_family":["unknown"],"recommended_action":"investigate","confidence":0.92,"risk_breakdown":{"waf":84,"classification":90,"behavior":0,"geo":40,"protocol":25,"novelty":15},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":null,"top_mitre_technique":null,"top_mitre_count":null,"executive_one_liner_fr":"risque 60\/100","campaign_hint_fr":null,"confidence_breakdown":[],"persona_hostname":null,"correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":92,"confidence_hint_fr":null,"sensor_role_label_fr":null,"tags_summary_labels_fr":[],"tags_summary":[],"attack_vector":null,"protocol_details":[],"protocol_summary_fr":null,"evidence_snippet":"GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:9411\r\nUser-Agent: grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with ht","target_port_label":"9411","emulator_service":null,"confidence_reason":null,"classification_reason":null,"classification_reason_label_fr":null,"confidence_factors_fr":null,"payload_preview":"GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:9411\r\nUser-Agent: grub-client-1.5.3; (grub-client-1.5.3; Crawl your own stuff with ht"},"events":[{"id":8242245,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57116,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/application\/config\/database.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00229872b8608fc96e569e3e370e133884e46e1041b9\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00228f66bcac490da91a090f4ece11b5c64553bb4b4b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 272, \u0022payload_entropy\u0022: 5.376314949222673, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u0022c01eeaafb7d3a944426da91865171a923250dfa8\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228afd4e7414e0f03ff143b91ccb1b6f79\u0022, \u0022payload_hash\u0022: \u0022671bd128f8cee8da4ba285b963288b91\u0022, \u0022path_pattern_hash\u0022: \u00229be613508ad3f2d1b1d0632e2eb595e3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5\u0022, \u0022event_signature\u0022: \u002226b2f1e66c8c17316229729b5e09f3ce38fcc50c\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":272},{"id":8242246,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57122,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/project\/settings.py","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022py\u0022, \u0022http_ua_hash\u0022: \u00223ca0496c56b51822d90287d1536f8ef0844f125d\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u002211966cc72e0bfecaa733acc41e44392e18b681e0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 263, \u0022payload_entropy\u0022: 5.428081372029131, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u0022640f6ca759d0760c13c3086ce7e6d2ed48b1b092\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d12b3e2582860b87a7cc05cc8c019ed3\u0022, \u0022payload_hash\u0022: \u00221ff28083ab24115e97d4c1add1353154\u0022, \u0022path_pattern_hash\u0022: \u0022c29c8a7c1efc84947f863a90ed9e7db7\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/project\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; HTC 2PXH3) AppleWebKit\/53\u0022, \u0022event_signature\u0022: \u0022f824a61170d0e0c2a788e4f9ce42e1c45d1958c7\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 6.0; HTC 2PXH3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":263},{"id":8242247,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57134,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/application\/config\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00228cbbda8cc9be4123eddc2785867e3c97fb0c8a52\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022ab5bb68257f1fdd1dfa4915fa7104485b044a078\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 273, \u0022payload_entropy\u0022: 5.375541066435289, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222e5b7ebeaad9bf292a57c32a7f68fa7afb853f7f\u0022, \u0022event_fingerprint\u0022: \u00220d2dc23c8d72ac5b701b0289791b72aa803a841c\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f96952febd4c91672db1b557bbdb9d87\u0022, \u0022payload_hash\u0022: \u00225c8757d922925160d291cba8d742f916\u0022, \u0022path_pattern_hash\u0022: \u0022b6440fe574333494578eac2496976a1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/application\/config\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) App\u0022, \u0022event_signature\u0022: \u00226f01b0a486fb80ad2042d8c3d7bc3ce679eee322\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; Redmi Note 5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":273},{"id":8242248,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57148,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/system\/application\/config\/database.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u0022b95d712f35662713c68c82a4913564c7e14d7500\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u002224e56dc80b8c9895dd6363dc3d163c6ca2669cf7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 277, \u0022payload_entropy\u0022: 5.327374246244248, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u00223475963b8a9461711057b1cfd06489f7310496d1\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002258b0de13403b501cfdd4e32e88b926a3\u0022, \u0022payload_hash\u0022: \u00228b3396f0f3db15540f00400455d53bbf\u0022, \u0022path_pattern_hash\u0022: \u002270f588a640b3de59a5428f938c259cab\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/system\/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS\u0022, \u0022event_signature\u0022: \u002232bfe2a92b766ce979ff1468652741725d4007ad\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko\/20110218 AlexaToolbar\/alxf-2.0 Firefox\/3.6.14","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":277},{"id":8242249,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57164,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":12,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/WEB-INF\/web.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022526370a7edcda495a535dcaa60eae3c401264c40\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022294983df7ad5a41b7a3548dc9a0ed2f5cf075040\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 197, \u0022payload_entropy\u0022: 5.395094079411104, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 56.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 56.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022de36fed60f39c924ab1d96dc26a3d46d052d9830\u0022, \u0022event_fingerprint\u0022: \u00227b598c780881a71f0ea40d0652ade06f3c7edae9\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b9ef5449d550a743d90e32cb428d849a\u0022, \u0022payload_hash\u0022: \u00222e6ea69790a4840e2a6172516a03ec13\u0022, \u0022path_pattern_hash\u0022: \u00222d380bdeba64643ea1e25f4789b575b6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/WEB-INF\/web.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Nokia6230i\/2.0 (03.80) Profile\/MIDP-2.0 Configuration\/CLDC-1.1\u0022, \u0022event_signature\u0022: \u0022c2f8a5b4def17435c9c15b351fa9d7c312d89fbd\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Nokia6230i\/2.0 (03.80) Profile\/MIDP-2.0 Configuration\/CLDC-1.1","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":197},{"id":8242250,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57174,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/META-INF\/context.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00220d189de03e833800feb258a02225642cf138b5fe\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00223986bf7cda9cc4c51e53512817fc8584b30172b0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 265, \u0022payload_entropy\u0022: 5.462500503503487, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u00220a2e4912f2d6918e8382e95610c2fc44d24c87cb\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002229a46c28879efa85ba220ef1d0f3bbce\u0022, \u0022payload_hash\u0022: \u002252c0295b5773cf603462399df8fe68ab\u0022, \u0022path_pattern_hash\u0022: \u002230f764f600e5073ae934f34b2b98acc2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/META-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; SM-E700H) AppleWebKit\/\u0022, \u0022event_signature\u0022: \u0022ea3c0a876f0f573b988d2402cac8112c30121ccf\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; SM-E700H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":265},{"id":8242251,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57178,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/WEB-INF\/context.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00227ca7cf36e0ba08ef9f7de766b715417d49fde57a\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022f96fa52b403933e653406cfbc2173d513c6762a6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 309, \u0022payload_entropy\u0022: 5.564218096997529, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u00220e56e165dca9b4fe993fd646030032eae6706827\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225e8af2b481bba7e65072c0c410349e29\u0022, \u0022payload_hash\u0022: \u00220c650c6cd93ca886bf55782f2c31ed56\u0022, \u0022path_pattern_hash\u0022: \u00220cc3084c1a2704ec60a7fbee65b65cb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/WEB-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G975U1 Build\/PPR\u0022, \u0022event_signature\u0022: \u00228dc7cc8bbfb5f02d4db0b82a732f6cef9d934a28\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G975U1 Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":309},{"id":8242252,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57180,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/WEB-INF\/classes\/application.properties","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022properties\u0022, \u0022http_ua_hash\u0022: \u002257d5ffc1207184f141f0b4be0323c97f25f6aa17\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u002210b2e06ee448a350a7e1543add2e5ae160c495e4\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 277, \u0022payload_entropy\u0022: 5.361522708529414, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u00227b0b73fe05dda10ad2d6d9698fba35632861ab04\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e65527a06ecf3cca312a83097d20712c\u0022, \u0022payload_hash\u0022: \u0022e7f696b4ee91d9fb878b6ea1cc1e670a\u0022, \u0022path_pattern_hash\u0022: \u0022f8e656368886c0ce42a00ebbaba2414b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X \u0022, \u0022event_signature\u0022: \u0022992f5b5de11b2e307f3305137eabd040b0e83737\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":277},{"id":8242253,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57192,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.idea\/dataSources.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022ff5f1a3cb9b97b83a69c684a782fe68d69100bc2\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022d8b4f1d4ad149f189f1e83b2ee85c58600df146c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 253, \u0022payload_entropy\u0022: 5.429211768556201, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u00227a637ec878907487589784d9337d7ca125bdcab6\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228171ca5a2d32a6c4387a85942c8677e1\u0022, \u0022payload_hash\u0022: \u00226766c737f9eddcf959a00f605b93fba0\u0022, \u0022path_pattern_hash\u0022: \u002245b1a6f2cf9945ad18514ad77ffdd93e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.idea\/dataSources.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537\u0022, \u0022event_signature\u0022: \u00224b769302fd97df69cdcd711f9b4c3dd06aa67be1\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3875.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":253},{"id":8242254,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57202,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.idea\/dataSources.local.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022babfb64d29ffabe0bbff2b9251046adf533db680\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u002269f35c14ff491b04a05fe95ac539edbead309c12\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 289, \u0022payload_entropy\u0022: 5.407735098973645, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u0022eedf64ad067541073e91d26ec56537caa35e26c5\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022fda95b1f7526bb58d410d05451f5f7e6\u0022, \u0022payload_hash\u0022: \u00229c48e42f6e0fd039c5f4a8aec623b1df\u0022, \u0022path_pattern_hash\u0022: \u0022921ea8e3058ced1425d3fb1a6683e728\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.idea\/dataSources.local.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac O\u0022, \u0022event_signature\u0022: \u0022a436c3d8b94d0067be0aedbb85b24b773aabe468\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/74.0.3729.121 Mobile\/15E148 Safari\/605.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":289},{"id":8242255,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57216,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":18,"waf_tags":"[\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.idea\/workspace.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022b5906c70acc0c31f10d9d3c0d416b382ccc958b2\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022dcd10abd9e64a56ef60f2096a44fceab68d89da5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 193, \u0022payload_entropy\u0022: 5.15121053220224, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 80.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 80.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002241341108ec84ac41391c3384f6558d6ec9e38cd9\u0022, \u0022event_fingerprint\u0022: \u0022c9ce1fe3a942aff1d213620a756ca4aef79174fc\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226d9cac60c0ae6e112879c8d09a1e2fbc\u0022, \u0022payload_hash\u0022: \u0022bacd0275cee0f85eb933037620202d06\u0022, \u0022path_pattern_hash\u0022: \u00225704ec26c04e317ce2b2911c876a5465\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.idea\/workspace.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Gregarius\/0.5.2 ( http:\/\/devlog.gregarius.net\/docs\/ua)\\r\\nAc\u0022, \u0022event_signature\u0022: \u0022e0580db0112ad3b4444658718baaccd3e490f660\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Gregarius\/0.5.2 ( http:\/\/devlog.gregarius.net\/docs\/ua)","http_referer":null,"tags":"[\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":193},{"id":8242256,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57220,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.idea\/WebServers.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u002277386173a51c69d052a81adc26feda5cc4412563\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022732626ecbb27c33e1b5cffe507928daff3e1ffcb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 268, \u0022payload_entropy\u0022: 5.439408968959871, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u0022ff681ff111d7a5f5d5909a797a22258f0af51302\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222a44d75dc0e34a4ede90a7d746fb5f07\u0022, \u0022payload_hash\u0022: \u00220a46d68224a33715966f34545f321681\u0022, \u0022path_pattern_hash\u0022: \u00223ef5b863418297cf1b3afb7572309761\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.idea\/WebServers.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (K\u0022, \u0022event_signature\u0022: \u0022c576bf0a92a8b507f9e237a8b47b503ce165c3d6\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Maxthon\/4.4.6.1000 Chrome\/30.0.1599.101 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":268},{"id":8242257,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57236,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":12,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.idea\/deployment.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00221b3b1ff196fc0a48441ec32d28bb0f4936e1011e\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022ff773c35f260c28fb8b1bfb4252a50f6e0022b05\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.415185929329076, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 56.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 56.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022de36fed60f39c924ab1d96dc26a3d46d052d9830\u0022, \u0022event_fingerprint\u0022: \u00220b8e5f77ab36eab2c97a9e72603e086674998ee5\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ac4d786cd8eb314a65a7c31c54bfebbf\u0022, \u0022payload_hash\u0022: \u00224207717edb4f075a89ede3c155accf30\u0022, \u0022path_pattern_hash\u0022: \u002236b6d965d63f408f7c773a687ac24612\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.idea\/deployment.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, l\u0022, \u0022event_signature\u0022: \u0022db9f671ed3128a38a9c9a64def9d129b2dd6b4f4\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":260},{"id":8242258,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57248,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.vscode\/sftp.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u00229437cba28d03b8e367f23e3163029fd837235870\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022a7b754a65cd3a72c45519ffad56ec4883c279ab1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 271, \u0022payload_entropy\u0022: 5.434804146118559, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u0022fc4da6d503c26098c1547d6caae5ce135e027e00\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00229ceb6144297d4f6896850fa4a6c56253\u0022, \u0022payload_hash\u0022: \u00221bf47c9cf2e4841d708521ac1f263e27\u0022, \u0022path_pattern_hash\u0022: \u00224379ee7559d68deac5f1bf414dd60187\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.vscode\/sftp.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/60\u0022, \u0022event_signature\u0022: \u00221c0a528147eb1c26f2840d68f1c03a46d2131972\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobile\/17A5556d Safari\/604.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":271},{"id":8242259,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57258,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.vscode\/settings.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u0022e682abd34aab1e40793d7487f59bd043d2dd33ae\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00228f13238caccb97889bb93a57a58c8206b67c85b5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 224, \u0022payload_entropy\u0022: 5.310913763966075, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u00220bc0e5ba0f1161f92081dffc043eb221d2f9a144\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c41830aceeb8f1c50acce6c50c3af66e\u0022, \u0022payload_hash\u0022: \u002241f5738727891fb0b0155f3c6a147e80\u0022, \u0022path_pattern_hash\u0022: \u0022f5f67949e6b52d5014abefc02d1fe9f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.vscode\/settings.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 \u0022, \u0022event_signature\u0022: \u0022f8f3d84feb8bbfad45fb93ae291271dd376f19fc\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 Firefox\/28.0 SeaMonkey\/2.25","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":224},{"id":8242260,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57270,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.vscode\/launch.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u00224b6cf9c083ef389e05b5e78ccf056ed2b5c6db66\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022f955acacb64b027ce0fe999c2601f7358bc4da5a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 225, \u0022payload_entropy\u0022: 5.210046947798603, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u0022cad81f0a09c5f48618015c6f625dd21fe71968fe\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00229edf80910dd9ca25faf4d367d07c3e19\u0022, \u0022payload_hash\u0022: \u0022861d5a28288ee27bd4bf6eb581ce2e90\u0022, \u0022path_pattern_hash\u0022: \u00222ff6c8576629cb803256f3fb9cd546fa\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.vscode\/launch.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) P\u0022, \u0022event_signature\u0022: \u0022fb48919449249e0487b9235c16b5a27be5b08007\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) Presto\/2.12.423 Version\/12.16","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":225},{"id":8242261,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57282,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.vscode\/tasks.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u0022248f666142c9512c8447ef2896b1c5012f6e7497\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u002292e911a3df5ad35698662851e6649fca8b9cc765\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 250, \u0022payload_entropy\u0022: 5.424120927405475, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u0022c5f0951635477b724d730594ada6a046f16ab9eb\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022933bf726c379607e32b73a4f6a198f9c\u0022, \u0022payload_hash\u0022: \u0022ed96b024d413b75bf47ca9f2df3cdd54\u0022, \u0022path_pattern_hash\u0022: \u002271d0e06039e234c8f571eb83415e4643\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.vscode\/tasks.json HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36\u0022, \u0022event_signature\u0022: \u00223429c11da150001400fcf227cae7410169aa81f8\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3835.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":250},{"id":8242262,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57294,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.gitlab-ci.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u00221f920ae0095efc9859bfd9a1389770e0b824fad1\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022438af05b92495206533fc223d46e511d40c32485\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.435752064124852, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u00225a46f8598d42bf0271287bb3e0f5b69fe8805a18\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d3c801a3fcd8b02495806d8ab846c2e4\u0022, \u0022payload_hash\u0022: \u00229597fc49e597386fd027ed1a0bc35a85\u0022, \u0022path_pattern_hash\u0022: \u00221c248e6546ed96558dfcda198b4e61ef\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.gitlab-ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022event_signature\u0022: \u00224407d5ce34005fcd06e2da3c5d05b37568532de2\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.62 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":243},{"id":8242263,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57308,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.travis.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022901232c6b68c2d240bff5039fd7b8df58b7460ec\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00220f539eb712332002814a106c4304479b90529490\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 274, \u0022payload_entropy\u0022: 5.461944600676861, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u0022551d97934d12132da2720c28b3c52c840c5eb7e4\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002293a5e16308954459381bac19669c1159\u0022, \u0022payload_hash\u0022: \u0022b88090398b5281685dc367c12bc3eb03\u0022, \u0022path_pattern_hash\u0022: \u002231215e4931d9a8bb956098a35abb0b27\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.travis.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022event_signature\u0022: \u00225845be3cec060d2c38d0da386c39cc519f827a97\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.186 YaBrowser\/18.3.1.1220 Yowser\/2.5 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":274},{"id":8242264,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57320,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.github\/workflows\/deploy.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022f694f99cff565034e1e4fddf9aac9f1fdb313045\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00229a980960a1dce8601282270803934f12c1e6c3d4\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 262, \u0022payload_entropy\u0022: 5.47016198806424, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u00221b246b6c612baf6244ed83fc912dc30de3925785\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226dc82c8a3d57f2110191f3d1c13c7a38\u0022, \u0022payload_hash\u0022: \u0022dd9ac08a246f6586a50a126ba805e1c6\u0022, \u0022path_pattern_hash\u0022: \u002276cfbca880390f07dc02774a92e03828\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/deploy.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWeb\u0022, \u0022event_signature\u0022: \u00222bcefd716c19c21beb3843ad737e81ceef37bbbc\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":262},{"id":8242265,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57328,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.circleci\/config.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022a9a14ed9a51a2ead540956d6c6cc8d45e4194499\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u002242ed80c065555149f59c15145f7ae964b6a99b5e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 265, \u0022payload_entropy\u0022: 5.3970717503875285, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u0022e9084b37adc15b9d50a5fe915c706951030c441d\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022beba3d5d57e33008dab2662a75c702d5\u0022, \u0022payload_hash\u0022: \u0022fa0c2abf9b5c22388cdfe7d9cae72801\u0022, \u0022path_pattern_hash\u0022: \u0022b893b0eec412648d41158b9ec6bd21e4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.circleci\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.1; GT-I9500) AppleWebKit\/\u0022, \u0022event_signature\u0022: \u0022166476b050855abf1e213c3ffbe64c3b33f1b539\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 5.0.1; GT-I9500) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":265},{"id":8242266,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57342,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.github\/workflows\/main.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022daa2b923a678ca2f41e25c1c11b3147a54eb1b4e\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022235caf8bc184fcd8b7671c244cc53e88d83bf97b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 258, \u0022payload_entropy\u0022: 5.4601952582529, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u0022aff1fe4940786f787e56c299f0839f335515af40\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022287939626b5425ec6f733377b9e9ebc3\u0022, \u0022payload_hash\u0022: \u00223c56e8b98a0d5ee3dcba669afd798893\u0022, \u0022path_pattern_hash\u0022: \u0022e05ba7286924149fefd56c25594fa0c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/main.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKi\u0022, \u0022event_signature\u0022: \u0022afda5d9a1cb2a225713019a0c2f64d7d360be733\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3786.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":258},{"id":8242267,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57348,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":26,"waf_tags":"[\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.github\/workflows\/production.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u00227b5623a1e9acd412d59d77492364807288649c7a\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u002238eaa565ff94c56233c59ea6d104fdaddcc93cea\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 322, \u0022payload_entropy\u0022: 5.511419251322632, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 100.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 100.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002228269b8e76295b171123facf5fb0764eff9f0338\u0022, \u0022event_fingerprint\u0022: \u0022dc19614c1aeae52ec1d1affde4acc631937cb380\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00229c9c7728112bbdff1a535b721ac0aadd\u0022, \u0022payload_hash\u0022: \u0022d6cea84a39fb2092c378e04640f60eb6\u0022, \u0022path_pattern_hash\u0022: \u00229eba29b7a547d56eaba268ebadba8373\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/production.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like \u0022, \u0022event_signature\u0022: \u0022bf26fe3850d3b4e6d813082ac1757c2bfa2094e0\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN","http_referer":null,"tags":"[\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":322},{"id":8242268,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57352,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.github\/workflows\/ci.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022e6a448a694fda4ff58870f1957c1be1ef254c6d3\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00223ec364769fb4698cfcca7031daf28214f8708060\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 270, \u0022payload_entropy\u0022: 5.426755184238417, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002282eab1462daec00268670852ae48f6d43f4e5741\u0022, \u0022event_fingerprint\u0022: \u0022e28989ea5412ad3f2e70765933ec1a2967d74499\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226dabb5aa44875df608d39d1ccbba964e\u0022, \u0022payload_hash\u0022: \u0022e2dca9f3d9d3b8ba29c7f2d51bd8a98f\u0022, \u0022path_pattern_hash\u0022: \u00220bac82c8c4461b7e2eb48cd6eaefa7e9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-\u0022, \u0022event_signature\u0022: \u00220ccd806c57ec6d7be08775d97a13184f56be6a78\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit\/534.15  (KHTML, like Gecko) Version\/5.0.3 Safari\/533.19.4","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":270},{"id":8242269,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57368,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/Jenkinsfile","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f5afc8d7c4957c93e4a79f6871fdbcfa35f49089\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00226196821c9b59b6ceb2d7ccd4d35e939ea59e7ed4\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 256, \u0022payload_entropy\u0022: 5.423659978271041, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u0022db61c64f4e15328bb71574aaa180dbfe20c4612c\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022610f4c517af8d56f9097a351a06686d5\u0022, \u0022payload_hash\u0022: \u002220e39a05dbf926ee1fb5656c8f5b9221\u0022, \u0022path_pattern_hash\u0022: \u00220d4eaf992f1a72b02518b7d952191a55\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (K\u0022, \u0022event_signature\u0022: \u0022b6ce5610384b98c7315eeff3bab99f0a18fb69a0\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":256},{"id":8242270,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57370,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/jenkins\/Jenkinsfile","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002252afa0c63fa89c52914758be7103e16b482e18dc\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022171840fe47dfd6f2d76e0b80f11136ea038cbc5d\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 258, \u0022payload_entropy\u0022: 5.401073185427591, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002211719f5423639da0812521793c2ea60715ffd5a8\u0022, \u0022event_fingerprint\u0022: \u0022539048068be09787d4aa563ecf142d97d7b6ef21\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228a3e3eee7a039c5e5f6a9978df88c13d\u0022, \u0022payload_hash\u0022: \u002214c21f22f4cce06b90963260b10c4961\u0022, \u0022path_pattern_hash\u0022: \u002240125f4f361452a7111c9b4a9dc1dfb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/jenkins\/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 \u0022, \u0022event_signature\u0022: \u0022c5a374eabb07f277b4c737e0d9729f3c4d53416d\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_jenkins\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; GM1913) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_jenkins\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":258},{"id":8242271,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57372,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.drone.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u002252886032f7b54ffde5c3ed27b5deec4e377a47af\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00221954ac9283af903ae4a6de319bd93df245fb035e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 212, \u0022payload_entropy\u0022: 5.296195603203248, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u002216e6cc90947c33a77d3081cad8d97a958e3d8ce6\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f3490eb54b88c8a44b5f6a7cfd0bb35f\u0022, \u0022payload_hash\u0022: \u00224a137d5e55ffcbfedffc6810bfeb3b2f\u0022, \u0022path_pattern_hash\u0022: \u0022f74d63edd884e7a9299ad52f54b46b61\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.drone.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko\/201001\u0022, \u0022event_signature\u0022: \u0022fe4cfa13dc117cf2e4bd31c3f9c4af9261b46b7b\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko\/20100101 Firefox\/49.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":212},{"id":8242272,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57388,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.drone.yaml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022yaml\u0022, \u0022http_ua_hash\u0022: \u002226044ceb6657f77f597eb6f522def3b8f3dc3548\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00222dde7c7ac3e6a210a636b7b4438f90ddd70a6f86\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.426062358008725, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u0022085c089eb23ca11c309e5b2ef0696c21c25cee0f\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f078456d3707aafb2c38af001e4981e5\u0022, \u0022payload_hash\u0022: \u0022b510e59705e9d34a68dd1b0cce5a8404\u0022, \u0022path_pattern_hash\u0022: \u0022375bdd2accbc560de2cef140cdb7ad08\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.drone.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel XL) AppleWebKit\/537.36 (KHTML\u0022, \u0022event_signature\u0022: \u0022f52a1b20dae82cd2fd6cec8b31fef3e80ecefe38\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; Pixel XL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":251},{"id":8242273,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57400,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/bitbucket-pipelines.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022fa04af9816f0793fdc1a867eef08c9bba4602d70\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022e18939aa25137b140957dface586fa6d87f55246\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 229, \u0022payload_entropy\u0022: 5.301295069889527, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u0022795beeca168501e86116bc3bf9ff5ff13e11dda9\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022019e2e1e34358ddde0b0e9ce516b2815\u0022, \u0022payload_hash\u0022: \u00226d8e17cfd2c89171f392d6920f8f9b9a\u0022, \u0022path_pattern_hash\u0022: \u00227196cda3d0ac0fc416539ef0a94d0999\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/bitbucket-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:10.0.1) Gecko\/2010010\u0022, \u0022event_signature\u0022: \u0022441daf32cf6978fd02925f0255246cb65d8a7663\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (X11; Linux i686; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1 SeaMonkey\/2.7.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":229},{"id":8242274,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57416,"dst_port":9411,"service":"http","classification":"flood","waf_score":0,"waf_tags":"[]","http_method":"GET","http_target":"\/azure-pipelines.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022cf28b80b1590ca35ee44b2e6572cd01a2a9862bc\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00228bacf7ba189e1d49695131e01ec30c1752198ab0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 153, \u0022payload_entropy\u0022: 5.122914291946511, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 25, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e758c2d0b3b6582363b67a562a7cd22518d9a3f3\u0022, \u0022event_fingerprint\u0022: \u0022bbdf89ea543c43db81531f9bda09458fa3478245\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002230e7af69133e001121c3aae968727303\u0022, \u0022payload_hash\u0022: \u0022e730c916a2a08c7bf1077d87a3978848\u0022, \u0022path_pattern_hash\u0022: \u0022d76578f2ff8c409283f48927713c6e3e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.68, \u0022classification_confidence\u0022: 0.68, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/azure-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: WebCopier v4.6\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gz\u0022, \u0022event_signature\u0022: \u002247440a0c8ade7187ef072235fcc29d204797f412\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"WebCopier v4.6","http_referer":null,"tags":"[\u0022net_flood\u0022]","anomalies":"[]","severity":7,"bytes_in":153},{"id":8242275,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57422,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/.buildkite\/pipeline.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u002253ef54d76f30eef1516d89df56f88387e6379041\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00224bafbac6a6a3a3e498ce6febcc708140823e7542\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 186, \u0022payload_entropy\u0022: 5.314801042793373, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022afdf31177f7b11f5917f1816c89c42dd34f9ae12\u0022, \u0022event_fingerprint\u0022: \u00221f036d689155941f07c0cf64aabc3f998405e083\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00224a7b0650ea5c045432d9872e6e4ca6ac\u0022, \u0022payload_hash\u0022: \u002236467b73410055879303d1c899ef6ab5\u0022, \u0022path_pattern_hash\u0022: \u0022483e00e02486581ed9691d00f40bae15\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.buildkite\/pipeline.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\\r\\nAccept-Ch\u0022, \u0022event_signature\u0022: \u00224948f0f5afb33d8f3ba69fba279bad9a214b966e\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":186},{"id":8242276,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57436,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/debug.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022fe7167e896ad04e6dbb3da5e8913e13a20e92d8f\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u002277d9f648329aebdef206c4b1d63546db6147ce3b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 249, \u0022payload_entropy\u0022: 5.439573188545989, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227ff3089fa1f8772d3eafbbcd59b0a247ba97d073\u0022, \u0022event_fingerprint\u0022: \u0022fa0772ea2924b466a42e705c0201544ebd453953\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022950f2137a279ca798b99aa9dfd2f4d3d\u0022, \u0022payload_hash\u0022: \u0022a7f9fd1cd1b66e8a6c4d8da6594d10da\u0022, \u0022path_pattern_hash\u0022: \u002255839acef8bcadd99e7e1a1cdf75a15f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/debug.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (\u0022, \u0022event_signature\u0022: \u0022d8c5e18b6da25060428da98367dc149288f19f1e\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.80 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":249},{"id":8242277,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57446,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/error.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022e179b336ad34665ecbd046d403f20e19c6a2c672\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00224bf2a42fc3c47a9cd3c9f83a2dcc96b460ea695c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 311, \u0022payload_entropy\u0022: 5.5160136270658535, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u00226beb7f103e5a03e72e74406d89022180d9c92195\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228fb3590163379d4e83459e53905fcb33\u0022, \u0022payload_hash\u0022: \u0022d9dbe89d73311f3d1873ae0cb47eb81b\u0022, \u0022path_pattern_hash\u0022: \u0022377fe372f5c11075aea15748100afc0d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/error.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 6.0; zh-CN; KNT-UL10 Build\/HUAWEIKNT-\u0022, \u0022event_signature\u0022: \u00220fde5164e9a3b6272598d622d7482158e8bcf6c0\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 6.0; zh-CN; KNT-UL10 Build\/HUAWEIKNT-UL10) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 Quark\/3.0.2.943 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":311},{"id":8242278,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57456,"dst_port":9411,"service":"http","classification":"flood","waf_score":0,"waf_tags":"[]","http_method":"GET","http_target":"\/app.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022d9e4118625366d32e46baa9fa9f06d4ca05f4e4d\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022bd1d5b79d00a082701f913befabe9ce3bb41a839\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.146478345514736, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 25, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e758c2d0b3b6582363b67a562a7cd22518d9a3f3\u0022, \u0022event_fingerprint\u0022: \u00222a212c1a9b01c4268267955a0b952189e1168fad\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00227b51e3fad151c31042c711a544a26d12\u0022, \u0022payload_hash\u0022: \u0022a6ae494592b0ee077585839802f23073\u0022, \u0022path_pattern_hash\u0022: \u0022705676047b0602f87a6c259c895bc0e9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.68, \u0022classification_confidence\u0022: 0.68, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/app.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: WDG_Validator\/1.6.2\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nCon\u0022, \u0022event_signature\u0022: \u002287a4e9810ee3d47d3aaeb1f2ed2855643c97cfc8\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"WDG_Validator\/1.6.2","http_referer":null,"tags":"[\u0022net_flood\u0022]","anomalies":"[]","severity":7,"bytes_in":146},{"id":8242279,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57472,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/application.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u002218b801a3e1b457292daa1f6431451bc7dd613790\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022194ffa296bf5bf546445bc77a4914a3c16983759\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 249, \u0022payload_entropy\u0022: 5.39768953884592, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u002272272dc75471acf929618e1dd61bd03cca5d53a0\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00224f8e40b62011d0b37b25e6800125c849\u0022, \u0022payload_hash\u0022: \u0022d1d8e75d48fbd8491dae1f270752c22f\u0022, \u0022path_pattern_hash\u0022: \u0022162fef3d3c20397fd9e19a55bcddfa03\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/application.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (\u0022, \u0022event_signature\u0022: \u0022b3bb198b5d25741076f609cf1056868d78ef1cf8\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.75 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":249},{"id":8242280,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57474,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/laravel.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022b90b271655991a9ac75c487958dfb87f61352947\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00225dd8c8bb33603d1ad2c91357a5bdf5e4a77e2fda\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.432341797207793, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u00222c77a8f3a7e730b138a31626436ea92cbfb9fe4e\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222834cfb3f9a763bd7a9d5e902fb1b709\u0022, \u0022payload_hash\u0022: \u0022558daa686901a319e8684a6b51d74d85\u0022, \u0022path_pattern_hash\u0022: \u0022e42ca631e5a6c090d1fddca82a4d1723\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/laravel.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G955F) AppleWebKit\/537.36 (KHTML\u0022, \u0022event_signature\u0022: \u002270bd5ded4ab4f2f457b659dccf76e871a98acdfa\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; SM-G955F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":252},{"id":8242281,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57490,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/access.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u00220bc7d4fba6de3d3a0681fd2a23d14c1ddfd5ae3b\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u002263438c908367e4f8041717ab279c4d967e15af99\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 248, \u0022payload_entropy\u0022: 5.403266507124163, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u002265475f96ac44f24d8453959e2dc33e15943bdc7b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022564e80cf41424e6ab91d25dadab32199\u0022, \u0022payload_hash\u0022: \u00228754feab4585c9be9a936eff596ace5c\u0022, \u0022path_pattern_hash\u0022: \u00223185fcf0045ab357f9b5c65f6fd9ad4d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/access.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, \u0022, \u0022event_signature\u0022: \u00224dfef034d5b463149adccf3aa743902fb2f6e338\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 7.1.2; FP2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3888.0 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":248},{"id":8242282,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57502,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/server.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u00222353cd7686a3901b6d38c08254dc02f3a7a85d94\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022437770240dcc724c5033b3c158c576b84dde4de1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 265, \u0022payload_entropy\u0022: 5.396555519312745, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u0022c2510e4273664991a1f9522943bfae17666c9c25\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022029012e7b5b45afcecfe3b8421090f39\u0022, \u0022payload_hash\u0022: \u0022ed051bc3c0fcd4d2e104127647c3356d\u0022, \u0022path_pattern_hash\u0022: \u00221bb66c038c973622f0056a763496f9ef\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/server.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 10_0 like Mac OS X) AppleWebKit\/601.1 (KH\u0022, \u0022event_signature\u0022: \u002290f8aca620fe94d3fa1a53c5d2c62242c3ba8c92\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (iPad; CPU OS 10_0 like Mac OS X) AppleWebKit\/601.1 (KHTML, like Gecko) CriOS\/49.0.2623.109 Mobile\/14A5335b Safari\/601.1.46","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":265},{"id":8242283,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57510,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/logs\/error.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u00228a6a7f08cefdf85fe174473d0bd54d3fe03d7d1e\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00229d5f558e73ca716aa21e27c6081370ba7dda563b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 238, \u0022payload_entropy\u0022: 5.291917131233573, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022504cac395c8146f25ae3760fa544a1f614a5c383\u0022, \u0022event_fingerprint\u0022: \u0022f8de406df1b83b80e39d049cb4da0018e7314735\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022127287691cb13de540eb79e4ef04b540\u0022, \u0022payload_hash\u0022: \u00227ba5baf1dd3d915bac38c4a5574e9049\u0022, \u0022path_pattern_hash\u0022: \u002211a7dc2316512e9b8311ac327e383bb9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/logs\/error.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (en-us) AppleWebKit\/525.13 (KHTML, like Gecko; Goog\u0022, \u0022event_signature\u0022: \u0022b582ef65d1bd49f54e89d270cd11a449a69b8291\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (en-us) AppleWebKit\/525.13 (KHTML, like Gecko; Google Web Preview) Version\/3.1 Safari\/525.13","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":238},{"id":8242284,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57522,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/logs\/debug.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022c1c1bde123fbda9b83f4d6156cd3b28c2797d20e\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u002203e204e4d1092f0f3982669317d2eb101a33266b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 264, \u0022payload_entropy\u0022: 5.442808983631801, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223f34613962ae37f94514ca1ab0f2fbc49e58f982\u0022, \u0022event_fingerprint\u0022: \u00222c46c043c876c8b1ad907f827fe15f035f713bb9\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002265a9a2f402a488c7f9c458cde878f2c7\u0022, \u0022payload_hash\u0022: \u0022ed239d2a987fa07458947cf5133f5ed0\u0022, \u0022path_pattern_hash\u0022: \u00222521db54cde5bdc17cc591777e55b15e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/logs\/debug.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022event_signature\u0022: \u0022adc1b524780d397b4a8e554e46d9596be29f36bd\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36 Vivaldi\/2.3.1440.61","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":264},{"id":8242285,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57530,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/trace.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u00222d02134eb9bf2202a92ece90ec0266ade19d9ac5\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00220306f640cbfe7832e364cfa8aaa4495e8ef14f08\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 250, \u0022payload_entropy\u0022: 5.405517355673448, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u00220c8654c59f5987c578e4d25152e5ddf64c349450\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ed85a026a8481a3f9c1c1f5aa878e61d\u0022, \u0022payload_hash\u0022: \u0022d56d03ef2bbb0eae45bff0c89862a8dc\u0022, \u0022path_pattern_hash\u0022: \u0022f8d80e9ce78cc8d6e0404ba95f5bd5a6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/trace.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHTML, \u0022, \u0022event_signature\u0022: \u00227e502a6a38f2e16652f2f467b5613e5ced9e9f90\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":250},{"id":8242286,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57538,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":18,"waf_tags":"[\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/logs\/app.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022692f1a0f67f4c810b937dc526cf67c983cc36bbe\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022d0b8b644029ba159087a417f2e8eafdc14fc0ddb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 179, \u0022payload_entropy\u0022: 5.14290608854992, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 80.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 80.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002200efadfe1084499aabe1d853f9c16517d76f9d27\u0022, \u0022event_fingerprint\u0022: \u002246386b37a4cf1f7a6f021a67c6055ffe2bd24b1e\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022466b25cc09cc6ace622edfcb140bbf9f\u0022, \u0022payload_hash\u0022: \u0022107b8e3189b979df2e50840b1304e219\u0022, \u0022path_pattern_hash\u0022: \u00221ee40b92eb3b65f75911cb662d7e1127\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/logs\/app.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: everyfeed-spider\/2.0 (http:\/\/www.everyfeed.com)\\r\\nAccept-Charset: \u0022, \u0022event_signature\u0022: \u002232e8cd4b975f275a6de9859d51b1c16e82b0e5bb\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"everyfeed-spider\/2.0 (http:\/\/www.everyfeed.com)","http_referer":null,"tags":"[\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":179},{"id":8242287,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57546,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/logs\/application.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u002278b3da388f07125922275ece3097b6f15cda702b\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022cdf00c17308c69bcbf2914393a08738de75ce806\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 267, \u0022payload_entropy\u0022: 5.371441812618195, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022504cac395c8146f25ae3760fa544a1f614a5c383\u0022, \u0022event_fingerprint\u0022: \u002272790c472a4a618f0809be191adcaabd3f22a663\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222fe5bca2bb102783ce93b1df880741ca\u0022, \u0022payload_hash\u0022: \u0022747a8a51b67bdb2de0c972651ca9dc6a\u0022, \u0022path_pattern_hash\u0022: \u002260fc95e5699c71a682d502bba60586d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/logs\/application.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKi\u0022, \u0022event_signature\u0022: \u0022828fb4dde049b1d60e75b79f8c1fc18026040b7c\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":267},{"id":8242288,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57556,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/log\/debug.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022ece89018f8e51dcdb25431bef4142f642a506f93\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00223fb5b472f52b8bcac2f6138463cf27ff65b8c633\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 198, \u0022payload_entropy\u0022: 5.311326585269693, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 100.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 100.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002249014564b3d177f21838c3c3fc8e5fe12398e3a1\u0022, \u0022event_fingerprint\u0022: \u002299910c7e3788ab02bab8b8f59d95fed35cec4ba4\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223ef775987e41dcc313d41d88786ef3b6\u0022, \u0022payload_hash\u0022: \u0022128860caa6bc055b3914164d3ee5f93e\u0022, \u0022path_pattern_hash\u0022: \u00220a13815894d10bbcd047ea689c56dc08\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/log\/debug.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.\u0022, \u0022event_signature\u0022: \u002253dae23571e7c280541526afb2009fb17d920d35\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_log\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_log\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":198},{"id":8242289,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57570,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":18,"waf_tags":"[\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/log\/error.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u00221592e0be67ba82f6dd4bb79b36135037a8c54419\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022fc50733d76409093f90f46513edc67564b2421cb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 183, \u0022payload_entropy\u0022: 5.042953233907244, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 80.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 80.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022537dee369a316d1203d96c3fa8cac3609f56f752\u0022, \u0022event_fingerprint\u0022: \u0022f497e62fbc6f6ab05d5b4834cc373fe6a15a0966\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d611ac310fd1490c913567bde0679332\u0022, \u0022payload_hash\u0022: \u002298a01e20bc0c5009acf02fdd21c320b5\u0022, \u0022path_pattern_hash\u0022: \u0022a4d176701e2b21dd6deff557491aab03\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/log\/error.log HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Googlebot\/2.1 ( http:\/\/www.googlebot.com\/bot.html)\\r\\nAccept-Chars\u0022, \u0022event_signature\u0022: \u00229959dd034d3f0a7cb6d02ac339e74436adddab30\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_log\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Googlebot\/2.1 ( http:\/\/www.googlebot.com\/bot.html)","http_referer":null,"tags":"[\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_log\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":183},{"id":8242290,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57586,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":21,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950522:leak-9\u0022]","http_method":"GET","http_target":"\/.htpasswd","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022htpasswd\u0022, \u0022http_ua_hash\u0022: \u0022ce7057acb09dbc3e0b1fb56388b3ae24cd7157aa\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022ade2de8d21551efb00f221b43821b4acb26b6f79\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 244, \u0022payload_entropy\u0022: 5.4216809754804425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 100.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 100.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002283a58eff1d0b4d58e05a339cdc782760f968d744\u0022, \u0022event_fingerprint\u0022: \u0022edf33828b7189193e08bdfc35696ad493df7eba8\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022dba375d65ab67a1b003fa49e3d2b6eb8\u0022, \u0022payload_hash\u0022: \u00229ce4099237eaca5f434bd1825aa38e60\u0022, \u0022path_pattern_hash\u0022: \u0022229c0a4c773f5f9eeec1d298c58088ee\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.htpasswd HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; d-02K) AppleWebKit\/537.36 (KHTML,\u0022, \u0022event_signature\u0022: \u002234988aa756983bf05107723ec97ba5c317199f3c\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950522:leak-9\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.0.0; d-02K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.105 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950522:leak-9\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":244},{"id":8242291,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57594,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.htaccess","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022htaccess\u0022, \u0022http_ua_hash\u0022: \u002248fc129982edd3afc1bc34198cb733e58e3195b8\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u00223450b1e7f2decdc58edd085ce04b19bc7f5d6fac\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 249, \u0022payload_entropy\u0022: 5.386587217030247, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u002280165cdc8ac703b6de40149c1767eaa354a0060d\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f93daef1da09d3c77fcac272fbcc1559\u0022, \u0022payload_hash\u0022: \u0022e4a9778b43b3425f5bb2ce260329f1ed\u0022, \u0022path_pattern_hash\u0022: \u00224c27678faebafe822ea78c9ea1cb1efa\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.htaccess HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, \u0022, \u0022event_signature\u0022: \u0022e3ed2f4634d55500b947822577dc6cfcc651cdd4\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":249},{"id":8242292,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57610,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":20,"waf_tags":"[\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/web.config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022config\u0022, \u0022http_ua_hash\u0022: \u0022a5eeef1333d1ec1b3e03809eeb6c0e3a99b84552\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022fb61e36fe9095535f127e3353d957f1c1310e8e9\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 411, \u0022payload_entropy\u0022: 5.571977893869151, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 88.0, \u0022risk_classification\u0022: 100.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 100.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f1e5ebaa615df20ac4e8e4b0f716384ea8d9536d\u0022, \u0022event_fingerprint\u0022: \u0022aa3dbd3956dc008269d5a24f683d4af4c7318098\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022373c9a9decbf3af47c48ca25fee8b031\u0022, \u0022payload_hash\u0022: \u002242a6ccfa636f7ddd6b3e6cc01354171c\u0022, \u0022path_pattern_hash\u0022: \u00220913647d7e838cdd727ceda37a671f37\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010 Build\/PKQ1.180716.001;\u0022, \u0022event_signature\u0022: \u00224fbf1c0f47951a25be759a0cd4d1fc0cebe722ed\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010 Build\/PKQ1.180716.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/1699 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetType\/4G Language\/zh_CN","http_referer":null,"tags":"[\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":411},{"id":8242293,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57618,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/nginx.conf","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022conf\u0022, \u0022http_ua_hash\u0022: \u002204526a14d1a43a1e5b3185b0e9ebf8bdf5cf3a44\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022845c3b2b5656c277525928bf4edf7c41919ad7fa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 200, \u0022payload_entropy\u0022: 5.287907609658076, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u00224e574ec1257ccaa8938c73aafa3f47e04d23c378\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022664168ca14a33a10a2796df70f763256\u0022, \u0022payload_hash\u0022: \u0022414971f11c31a247c2cde89f9fb6ef7e\u0022, \u0022path_pattern_hash\u0022: \u002280f5fa98cca489e2cf5aa551565e088f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/nginx.conf HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko Netscape\/7.1 (\u0022, \u0022event_signature\u0022: \u00228cd90b8ee33d87f24e191739c8b7421c655494d1\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko Netscape\/7.1 (ax)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":200},{"id":8242294,"ip":"34.39.181.210","ts":"2026-06-04 16:39:52.000000","proto":"tcp","src_port":57624,"dst_port":9411,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/nginx.config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022config\u0022, \u0022http_ua_hash\u0022: \u00225d1de84ece554d0b05fdb50c6071df350b8a0596\u0022, \u0022http_host_hash\u0022: \u00225c9e6c78af61d8db5d31615b1d31dfa805437ce8\u0022, \u0022http_target_hash\u0022: \u0022e275586080f0f32618bdbe0c80334164416e3043\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.38635521647848, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 9411, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231c1cd0faaf689b3353f2f9ff81bcc989d33b981\u0022, \u0022event_fingerprint\u0022: \u002292d6f855c764ae36fa578bfa69e7669fc6d50ba0\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226f530ed945f82ba5194a7a7c4e889bb2\u0022, \u0022payload_hash\u0022: \u002299fd2b561d6c69717ac83d05ddbd81e3\u0022, \u0022path_pattern_hash\u0022: \u002280871f7e109ea9867fd6173c2b32059b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9411, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/nginx.config HTTP\/1.1\\r\\nHost: 62.3.50.33:9411\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 2) AppleWebKit\/537.36 (KHTML\u0022, \u0022event_signature\u0022: \u0022b3635b4ee377c359d0c244610c698de04b57b9a9\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9411","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; Pixel 2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":252}],"total_events":766}