{"ip":"34.77.25.38","exported_at":"2026-07-14T11:32:01+00:00","period_days":1,"metrics":{"events7d":161,"distinct_ports":158,"distinct_classifications":95,"max_severity":6,"last_sensor_id":"paris-1","max_waf_score":6,"max_risk_score":44,"attack_stage":"recon","attack_chain_stage":"reconnaissance","threat_family":["scanner"],"recommended_action":"monitor","confidence":1,"risk_breakdown":{"waf":32,"classification":64,"behavior":0,"geo":40,"protocol":35,"novelty":20},"mitre_tactics":["TA0043"],"mitre_technique":"T1046","top_mitre_technique":"TA0007","top_mitre_count":95,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports","campaign_hint_fr":"Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte","confidence_breakdown":{"waf":32,"classification":64,"behavior":0,"geo":40,"protocol":35,"novelty":20,"risk_score":42,"correlation_boost":6},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["campagne_ports"],"correlation_flags_labels_fr":["Campagne multi-ports"],"confidence_pct":100,"confidence_hint_fr":"Corr\u00e9lation +6","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["MITRE-T1046","SIGMA-net-port-scan","Beh Multi Port 60S"],"tags_summary":["MITRE-T1046","SIGMA-net-port-scan","INT-beh-multi-port-60s"],"attack_vector":"port scan syn \u00b7 via HTTP:2248 \u00b7 (reconnaissance)","protocol_details":{"http_method":"GET","http_path":"\/","request_line":"GET \/ HTTP\/1.1","http_user_agent":"python-requests\/2.32.5","port":2248,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/ \u00b7 UA python-requests\/2.32.5 \u00b7 HTTP:2248","evidence_snippet":"GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2248\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti","target_port_label":"2248 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 100 % \u2014 2 tag(s) WAF","classification_reason":"Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%","classification_reason_label_fr":"Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF","payload_preview":"GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2248\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti"},"events":[{"id":11886035,"ip":"34.77.25.38","ts":"2026-07-14 10:05:54.000000","proto":"tcp","src_port":34992,"dst_port":2248,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00226087745e4517225375cd92fe38037febdc8800eb\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.110393652615325, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 2248, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00223729e9ec70c5dbbe137ffcf0c50e12beab9c8c59\u0022, \u0022event_fingerprint\u0022: \u0022d243fcec77f773527853ad30a6c40039efa060f5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022f92d156fc201c5adde8012edc12fcea5\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2248, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2248\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2248\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2248\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2248\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2248\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220211bc1670a43ec60c74bbe3a3e5f5b7c01d5930\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 2248, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2248\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:2248 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00222248 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 6}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2248, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 2248, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:2248 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2248\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00222248 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222248\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 4, \u0022port_scan_ports_sample\u0022: [2248, 3523, 3524, 8085], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2248","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11886026,"ip":"34.77.25.38","ts":"2026-07-14 10:05:33.000000","proto":"tcp","src_port":41386,"dst_port":8085,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00228307e910dac7083f4f0d52abcc8375f89d55b254\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.111077662684571, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 8085, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022189e52c6c75e5a659cb7d975e28aa74b6e055a52\u0022, \u0022event_fingerprint\u0022: \u0022b83aea09999e0a97772ac80be9abdd6aac8e5919\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00225c7c3144d388fa3ec79ff11f46c50ae3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8085, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229520d3e94f8d963c202d027b4dc080fd4b50d0ef\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8085, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8085 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228085 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 6}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8085, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8085, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8085 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00228085 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228085\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 4, \u0022port_scan_ports_sample\u0022: [3523, 3524, 8085, 8409], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8085","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11886018,"ip":"34.77.25.38","ts":"2026-07-14 10:05:24.000000","proto":"tcp","src_port":43388,"dst_port":3524,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u002272db0ada8dd92bf79c99880f1052c5dd033f7495\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.091524560134753, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 3524, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022270e2ebebbd0e2f589407e9b234b6b7b644a7f5a\u0022, \u0022event_fingerprint\u0022: \u0022409c752a4123c6bd52fd04f11e342caa203e906a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00223ca0de9cfed3861e31c9d8c322610d91\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3524, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3524\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3524\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3524\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3524\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3524\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002266b7de2b0c5e36ff2e33967f87fbb779675dfbaa\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 3524, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3524\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:3524 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00223524 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3524, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 3524, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:3524 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3524\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00223524 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223524\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3524","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11886017,"ip":"34.77.25.38","ts":"2026-07-14 10:05:22.000000","proto":"tcp","src_port":52734,"dst_port":3523,"service":"http","classification":"port_3523_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022fbbed641f4a9b3180eca17227535c50c3c81cb57\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.064811309930026, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 3523, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022483485585ec96b80803aae2f8f1901f55992ca26\u0022, \u0022event_fingerprint\u0022: \u00229cec9d525e086a32aabaf033e9e969d76f6d5fd9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3523_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022e9935985162f186be555a2c0117bbf73\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3523, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3523\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3523\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3523\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3523\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3523\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3523_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a67298d7335e62294aaa70f92d2069850f193e3e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 3523, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3523\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 3523 tcp \u00b7 via HTTP:3523 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223523 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3523_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3523_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3523, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 3523, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 3523 tcp \u00b7 via HTTP:3523 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3523\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00223523 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223523\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3523","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11885996,"ip":"34.77.25.38","ts":"2026-07-14 10:04:42.000000","proto":"tcp","src_port":55962,"dst_port":8409,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022b1c804cfdb8f109c83a2ac09004f345dbfbe38b1\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.143645385302128, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 8409, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00229047ee417392d4491fcea92feb8808830268380a\u0022, \u0022event_fingerprint\u0022: \u00220f2cbd4ddf6a27910a9f3444d58c8717e52e8646\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 42}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022b99223c6c643d9de3f34dad1c0ee3e15\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8409, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8409\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8409\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8409\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8409\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8409\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022262b69dd358d3e4b4c3977333f57e691f7e96b00\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8409, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8409\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8409 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228409 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 42}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8409, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8409, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8409 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8409\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00228409 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228409\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8409","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11885968,"ip":"34.77.25.38","ts":"2026-07-14 10:03:59.000000","proto":"tcp","src_port":36984,"dst_port":3749,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00225815c26e94745da0999fd1e1392e9d44df73dc4e\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.132620450545713, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 3749, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002269e01bc34e3869f4f917f7b46aa63a703ff77dec\u0022, \u0022event_fingerprint\u0022: \u0022de28e2f769ff39a09434e24373824cd566f67ddc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 44}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00229b4f93221b06b07c1b7fea0ca318dc69\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3749, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3749\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3749\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3749\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3749\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3749\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222c23bff8de63390bd56cc60d045426efafecd5db\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 3749, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3749\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:3749 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00223749 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3749, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 3749, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:3749 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3749\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00223749 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223749\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3749","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11885960,"ip":"34.77.25.38","ts":"2026-07-14 10:03:50.000000","proto":"tcp","src_port":57704,"dst_port":15443,"service":"http","classification":"port_15443_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022df91af119a739d95f6e74faa2ae6bb3682364267\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.105375917481701, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 15443, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00221bb7fe5dfa3d8ef85937e2e9b4f50dea72901c86\u0022, \u0022event_fingerprint\u0022: \u0022d4764b5f65e5d8350a84fb954568f1b77ed38bd2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_15443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022a6ac1ed19bcff13ecde7f142d7d708f0\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 15443, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_15443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227867d52052e8d880979a47c6cfb76039659ea166\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 15443, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port 15443 tcp \u00b7 via HTTP:15443 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002215443 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_15443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_15443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 15443, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 15443, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 15443 tcp \u00b7 via HTTP:15443 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002215443 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002215443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:15443","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11885934,"ip":"34.77.25.38","ts":"2026-07-14 10:03:12.000000","proto":"tcp","src_port":33106,"dst_port":1650,"service":"http","classification":"port_1650_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u002278604e1bb778b81b1ec8f20295d10fcbbd07acec\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.092208570204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 1650, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022d14eebd2cbd907dfd9329b7631d6e643c59cb0ba\u0022, \u0022event_fingerprint\u0022: \u0022e2b7bbaade898493235a426dad5f2165479ef91f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_1650_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022cd8ed7cac017edbdeeb072bcbbee4afd\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1650, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1650\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1650\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1650\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1650\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1650\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_1650_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c7e118c342de823870d097e2c0bd619f08c79de5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 1650, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1650\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 1650 tcp \u00b7 via HTTP:1650 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221650 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_1650_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_1650_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1650, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 1650, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 1650 tcp \u00b7 via HTTP:1650 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1650\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00221650 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221650\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:1650","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11885579,"ip":"34.77.25.38","ts":"2026-07-14 10:02:31.000000","proto":"tcp","src_port":54338,"dst_port":5680,"service":"http","classification":"port_5680_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u002256370a945ff85c0bd4c496b55baeea5de5561550\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.111077662684571, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 5680, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002273f174fb2d0547e200482d4bc1efaeafbb4ea101\u0022, \u0022event_fingerprint\u0022: \u002277bb653795fcdfaf50e2165b81c8c536805a0ac7\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_5680_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022acbb7fca5a391ac160c0349aeba70aff\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5680, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5680\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5680\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5680\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5680\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5680\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_5680_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229c0517b664005cd34458a15f07bef8962e9d6f82\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 5680, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5680\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 5680 tcp \u00b7 via HTTP:5680 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225680 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_5680_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_5680_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5680, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 5680, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 5680 tcp \u00b7 via HTTP:5680 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5680\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00225680 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225680\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:5680","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11884437,"ip":"34.77.25.38","ts":"2026-07-14 10:01:09.000000","proto":"tcp","src_port":36954,"dst_port":19443,"service":"http","classification":"port_19443_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00222d7536f1f122a2237cdb15ca4659e58acd7686cd\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.124116648788935, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 19443, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022db95c8ffbe1fa402b0cb928f12b663b96c4db739\u0022, \u0022event_fingerprint\u0022: \u002230cac791387231666b91c8a23c5905420b97cd25\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_19443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u002258a32db0ecbe62259ef87b715c3629c3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 19443, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_19443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226082326b37378545f1036b4462364b61a12a6123\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 19443, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port 19443 tcp \u00b7 via HTTP:19443 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002219443 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_19443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_19443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 19443, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 19443, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 19443 tcp \u00b7 via HTTP:19443 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002219443 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002219443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:19443","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11882722,"ip":"34.77.25.38","ts":"2026-07-14 09:55:48.000000","proto":"tcp","src_port":35972,"dst_port":12511,"service":"http","classification":"port_12511_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022e3751c8514229b9b107833bcc9b2180d4253800a\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.074830169211816, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 12511, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002292103672ad58eb4fa4d7083efd4ceb3a7283d4b5\u0022, \u0022event_fingerprint\u0022: \u0022520415a11cc0dc5739a9cc8ad216466fbc3c35b1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_12511_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022d97ab4cb4a3a0eb4b4cabefbb7b1e790\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 12511, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12511\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12511\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12511\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12511\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12511\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_12511_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221f6bff52d9858289e89230adf3f43e8469c635ea\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 12511, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12511\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port 12511 tcp \u00b7 via HTTP:12511 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002212511 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_12511_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_12511_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 12511, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 12511, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 12511 tcp \u00b7 via HTTP:12511 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12511\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002212511 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002212511\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:12511","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11881945,"ip":"34.77.25.38","ts":"2026-07-14 09:54:18.000000","proto":"tcp","src_port":51976,"dst_port":400,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u002228cc8927f10357e3b83fb9bd8b93f05a7c3161db\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 145, \u0022payload_entropy\u0022: 5.100619111776762, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 400, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022294a6a5bb3dbb180236587f5e193e003796c6154\u0022, \u0022event_fingerprint\u0022: \u00220218d766b3a015ed5738b599f9e566c89c23aa5e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 44}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022859d74c5dc4332b76429b9636685bdcc\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 400, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:400\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnectio\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:400\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:400\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnectio\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:400\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:400\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnectio\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f289b7ab681c69aacd92e96a9f77262e398274d3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 400, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:400\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnectio\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:400 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u0022400 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 400, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 400, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:400 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:400\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnectio\u0022, \u0022target_port_label\u0022: \u0022400 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022400\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:400","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":145},{"id":11881898,"ip":"34.77.25.38","ts":"2026-07-14 09:54:15.000000","proto":"tcp","src_port":58866,"dst_port":2202,"service":"http","classification":"port_2202_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022d254a6d4649644044b64e1d015cc5c4cad1a9287\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.069981772273612, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 2202, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022d5b75b794321c86f73b393046599c3e6e0608fa4\u0022, \u0022event_fingerprint\u0022: \u0022ef9fd59fcfc77840938f5c8f6dce89120067aef1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_2202_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u002273b933927b793bf2e0f58bd79383e2a5\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2202, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2202\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2202\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2202\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2202\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2202\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_2202_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f69305589abd74666268fb9ef9f7dcc4fdc5c7e1\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 2202, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2202\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 2202 tcp \u00b7 via HTTP:2202 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00222202 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_2202_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_2202_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2202, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 2202, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 2202 tcp \u00b7 via HTTP:2202 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2202\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00222202 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222202\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2202","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11881122,"ip":"34.77.25.38","ts":"2026-07-14 09:53:21.000000","proto":"tcp","src_port":48166,"dst_port":3078,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022dcef46ceeaa051935cf3aa06d326c4a13b88d980\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.118921820408727, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 3078, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00227feb2aae9f6126fb8ebdb46b24ee8dace3fd7dc2\u0022, \u0022event_fingerprint\u0022: \u0022fd797a7de9fd338ed846595e7f4335d2ff9baba3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u002250c0edaca63432aa8b62b0e20c3149ef\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3078, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3078\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3078\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3078\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3078\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3078\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227e8b81729ba8536f48fc5bcbfaa7e3f64ae418fa\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 3078, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3078\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:3078 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00223078 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 6}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3078, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 3078, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:3078 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3078\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00223078 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223078\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 5, \u0022port_scan_ports_sample\u0022: [82, 3078, 4848, 11184, 12507], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3078","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11880995,"ip":"34.77.25.38","ts":"2026-07-14 09:53:13.000000","proto":"tcp","src_port":45054,"dst_port":82,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.086680058107535, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022f264e725331fee65938af7f1f9ae2090023b56c9\u0022, \u0022event_fingerprint\u0022: \u0022d4e47aa681382d5bd046800841e7d1bacd808362\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022219aa90bee07aa79b21e1ebbe0b00fe3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002264af7b45ca15b65b31a32a4d5d1009aec8c86cc5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:82 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 6}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:82 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:82\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 4, \u0022port_scan_ports_sample\u0022: [82, 4848, 11184, 12507], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":144},{"id":11880869,"ip":"34.77.25.38","ts":"2026-07-14 09:53:04.000000","proto":"tcp","src_port":35942,"dst_port":11184,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00229d0514077d1f635ba9befeae11522562e37b0c6c\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.1156464957424275, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 11184, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00222eab0856b9e363a9a54208e74f041e5c3d47269b\u0022, \u0022event_fingerprint\u0022: \u002203e79937c6860a0b96f07cc747f12e7a29b3ee1b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00228c216f6fedc4d87b09e70d4e4c37ae4d\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 11184, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11184\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11184\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11184\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11184\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11184\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223b2501a963ec9cb6f7f3623e741e3ff41aa2d0cf\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 11184, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11184\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:11184 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u002211184 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 11184, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 11184, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:11184 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:11184\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002211184 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211184\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:11184","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11880531,"ip":"34.77.25.38","ts":"2026-07-14 09:52:41.000000","proto":"tcp","src_port":58366,"dst_port":12507,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022baca491ff1f53f806f1180aa8a569d8b465de968\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.107855699635443, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 12507, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00229856f38a0ef9d0a940083be63f201b0064c75095\u0022, \u0022event_fingerprint\u0022: \u0022806ac7604881239ce4276a2c42926e95c94153ba\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 42}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00226776df27646545cc730fbf94af314da3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 12507, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12507\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12507\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12507\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12507\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12507\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228495370e691a5a24175b757ec7198b62a0ce98d9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 12507, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12507\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:12507 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u002212507 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 42}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 12507, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 12507, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:12507 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12507\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002212507 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002212507\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:12507","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11880387,"ip":"34.77.25.38","ts":"2026-07-14 09:52:31.000000","proto":"tcp","src_port":51836,"dst_port":4848,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022cf5ec6180d41be2eb2189c72200cd50a6617bc53\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.129946755165142, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 4848, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022792a6245b95a749e0d70407441eb41c12e61ef3b\u0022, \u0022event_fingerprint\u0022: \u0022b2f27edaad2ef96f31757152c28401f68a41a07c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00221b5ee267cbe4e139e2215c5730ceda80\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4848, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4848\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4848\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4848\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4848\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4848\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b42a98817132347216f47f3b7ebf7063f4a675f1\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 4848, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4848\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:4848 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00224848 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 4848, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 4848, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:4848 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4848\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00224848 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224848\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:4848","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11879724,"ip":"34.77.25.38","ts":"2026-07-14 09:51:46.000000","proto":"tcp","src_port":41216,"dst_port":9383,"service":"http","classification":"port_9383_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u002289e110b789479b89007658d1bc93e62b7bcec98c\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.105907200340986, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 9383, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022b37f9988616e0c5da353cd5356e9e376dc8b21cf\u0022, \u0022event_fingerprint\u0022: \u0022bdf2b3ec6a2d4ae049b2b82311370f06315a7fb4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9383_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u002278043c6fd505312637febc76b8dddcf0\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9383, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9383\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9383\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9383\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9383\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9383\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9383_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022930c80cecd7d8e168f01b9c8859765ddc9aa698a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9383, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9383\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 9383 tcp \u00b7 via HTTP:9383 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229383 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_9383_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_9383_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9383, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9383, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 9383 tcp \u00b7 via HTTP:9383 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9383\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00229383 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229383\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9383","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11879573,"ip":"34.77.25.38","ts":"2026-07-14 09:51:36.000000","proto":"tcp","src_port":53174,"dst_port":12154,"service":"http","classification":"port_12154_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u002220b2efbc5ccf53ee511b670c240d09ae4eab9122\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.099385546588937, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 12154, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00229eb3788f75388621a7dfdf7a79e1e1fb7992a946\u0022, \u0022event_fingerprint\u0022: \u0022ef4219383896e567d51523e0acc89fb0279b6105\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_12154_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00225ceaf6c7d5f1948588ee4c566ea4601f\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 12154, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_12154_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002207486a70ae766e3ce979ca85b1b6724a1bab2b81\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 12154, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port 12154 tcp \u00b7 via HTTP:12154 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002212154 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_12154_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_12154_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 12154, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 12154, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 12154 tcp \u00b7 via HTTP:12154 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002212154 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002212154\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:12154","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11879498,"ip":"34.77.25.38","ts":"2026-07-14 09:50:45.000000","proto":"tcp","src_port":40592,"dst_port":10100,"service":"http","classification":"port_10100_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00227b5dc22470614ec1eadcb6d85a3b97e3afdd965d\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.085780104412065, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 10100, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002204fc9b5fd93b6883bc9cb0c182c15fb59aa47b78\u0022, \u0022event_fingerprint\u0022: \u0022f91c4a3575c482a229cb9ce2f5c324a3d4f096a0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_10100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022f20f1cc7728b7cfc41dec0632a9af5dc\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10100, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10100\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10100\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10100\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10100\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10100\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_10100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a97c6373c16cd127b3a20d0b7d3da25b112959d6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 10100, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10100\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port 10100 tcp \u00b7 via HTTP:10100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210100 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_10100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_10100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10100, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 10100, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 10100 tcp \u00b7 via HTTP:10100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10100\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002210100 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:10100","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11879439,"ip":"34.77.25.38","ts":"2026-07-14 09:49:42.000000","proto":"tcp","src_port":37794,"dst_port":12195,"service":"http","classification":"port_12195_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u002281c791dd6b2d9a35765c73f31ae3e3c8b31b56f7\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.099385546588937, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 12195, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00221e7db769ab7b80fd4fd7316adf0dce05709e7727\u0022, \u0022event_fingerprint\u0022: \u00223a501a543204030285647b1df08239f6480b4608\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_12195_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022db83931c0711b6e8aa290113a3bc026f\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 12195, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12195\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12195\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12195\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12195\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12195\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_12195_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f0747d5042edb2e32d14d03e35d50bc1aac1b854\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 12195, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12195\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port 12195 tcp \u00b7 via HTTP:12195 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002212195 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_12195_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_12195_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 12195, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 12195, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 12195 tcp \u00b7 via HTTP:12195 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:12195\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002212195 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002212195\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:12195","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11879385,"ip":"34.77.25.38","ts":"2026-07-14 09:48:27.000000","proto":"tcp","src_port":47126,"dst_port":3151,"service":"http","classification":"port_3151_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022540b739c7c0911920dd9cedfabd8b5632bffd65c\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.072655467654182, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 3151, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002281bdf7386179d325ca4a643f9d859234f8d09a5d\u0022, \u0022event_fingerprint\u0022: \u0022ac86fb5f7796ebaa50415ced59e63d09e402c58a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3151_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00227ac2efeaa3684955d298e323daa61c3f\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3151, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3151_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002283f2521d7e4188fdc7bbb66bff89ee33fb882d44\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 3151, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 3151 tcp \u00b7 via HTTP:3151 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223151 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3151_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3151_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3151, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 3151, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 3151 tcp \u00b7 via HTTP:3151 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00223151 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223151\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3151","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11879379,"ip":"34.77.25.38","ts":"2026-07-14 09:48:13.000000","proto":"tcp","src_port":46860,"dst_port":444,"service":"http","classification":"port_444_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u002296bd0f703b966543acff1c39b6284d0525249c56\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 145, \u0022payload_entropy\u0022: 5.100619111776762, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 444, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002241a30c4db0023b5817a7cef196f3a03578e26740\u0022, \u0022event_fingerprint\u0022: \u0022f0ea505da9cd3ea22a3bdb5e73f8dc37e1be39da\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_444_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022077e1fb27c3a28157c01d0f67ffe0eaf\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 444, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnectio\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnectio\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnectio\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_444_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226216718183039fc4a0379b3069c860d3f8fa536d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 444, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnectio\u0022, \u0022attack_vector\u0022: \u0022port 444 tcp \u00b7 via HTTP:444 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022444 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_444_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_444_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 444, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 444, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 444 tcp \u00b7 via HTTP:444 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:444\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnectio\u0022, \u0022target_port_label\u0022: \u0022444 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022444\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:444","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":145},{"id":11879332,"ip":"34.77.25.38","ts":"2026-07-14 09:47:07.000000","proto":"tcp","src_port":40030,"dst_port":4063,"service":"http","classification":"port_4063_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022758aaecdbc6749375f962bdbe1ff7a775c05ff02\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.105223190271739, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 4063, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a4c6d3fa8ad701e894c194670efef17ea4937cb3\u0022, \u0022event_fingerprint\u0022: \u0022b75f1af4731be320fa473879a8de869f18751d44\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_4063_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00229758b30184ab5539fc0a9857bad3a888\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4063, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4063\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4063\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4063\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4063\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4063\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_4063_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022304775167eb74f01d3286baa1fba7634f17addc7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 4063, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4063\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 4063 tcp \u00b7 via HTTP:4063 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224063 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_4063_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_4063_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 4063, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 4063, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 4063 tcp \u00b7 via HTTP:4063 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4063\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00224063 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224063\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:4063","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11879279,"ip":"34.77.25.38","ts":"2026-07-14 09:45:50.000000","proto":"tcp","src_port":48114,"dst_port":9169,"service":"http","classification":"port_9169_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022d82991aec912c7ee20c838fae2e5eae5f2dc7f27\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.111077662684571, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 9169, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002286501ed127ab822de9bad1c981c78af8c27d4853\u0022, \u0022event_fingerprint\u0022: \u00229a9af64214bbf05c724f151df463b67eb70bb905\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9169_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00225570922ed317b6c81c679e2ea57c9e19\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9169, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9169\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9169\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9169\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9169\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9169\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9169_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aa456f1a99cee3a602933dd44ae35036c712f9ec\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9169, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9169\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 9169 tcp \u00b7 via HTTP:9169 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229169 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_9169_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_9169_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9169, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9169, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 9169 tcp \u00b7 via HTTP:9169 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9169\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00229169 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229169\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9169","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11879246,"ip":"34.77.25.38","ts":"2026-07-14 09:44:59.000000","proto":"tcp","src_port":57936,"dst_port":17082,"service":"http","classification":"port_17082_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u002272813ac546c14415a53a70fcc80b382993ce6aa6\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.126596430942677, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 17082, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00227a66281dbcf14c0aa898c5fc8b1701334bb077fe\u0022, \u0022event_fingerprint\u0022: \u00223831aa92cbe4d1fb8dc25d70cbdcadb695b6c8b2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_17082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u002283d6a89d00734f0ad33c9647e31ecb85\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 17082, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17082\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17082\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17082\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17082\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17082\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_17082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a0dd4da985fad629ac5722afaa34a051ce973a08\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 17082, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17082\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port 17082 tcp \u00b7 via HTTP:17082 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002217082 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_17082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_17082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 17082, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 17082, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 17082 tcp \u00b7 via HTTP:17082 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17082\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002217082 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002217082\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:17082","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11879139,"ip":"34.77.25.38","ts":"2026-07-14 09:42:48.000000","proto":"tcp","src_port":34398,"dst_port":9035,"service":"http","classification":"port_9035_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022c7f1020e5ba83af96eaf85c573a74069f757ac79\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.100052727928154, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 9035, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022fa889271b2f7899b95de15d2e6eabc00eeb5b031\u0022, \u0022event_fingerprint\u0022: \u00225be24550cdf66e82e3a8e42be199f84fb1d5ba9c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9035_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022515bafcb397d566c98b0011636cbbce6\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9035, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9035\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9035\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9035\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9035\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9035\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9035_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227b44c64a643ef02907c22414da5e210048ecf621\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9035, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9035\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 9035 tcp \u00b7 via HTTP:9035 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229035 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_9035_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_9035_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9035, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9035, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 9035 tcp \u00b7 via HTTP:9035 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9035\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00229035 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229035\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9035","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11879132,"ip":"34.77.25.38","ts":"2026-07-14 09:42:36.000000","proto":"tcp","src_port":33678,"dst_port":9151,"service":"http","classification":"port_9151_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022105598dab974ab2f939d837f92da48357c897259\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.097379032547585, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 9151, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002267cd84080579e7fe88bef6839b163127cee1acba\u0022, \u0022event_fingerprint\u0022: \u00225a99d927e7c53f2482d7d9af15da2df261a622e3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9151_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00229053f396b3db74f2bd7a18ea3e85c7a6\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9151, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9151_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b87fc514dfaf7da30dfa43af2f41fbb33da160c2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9151, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 9151 tcp \u00b7 via HTTP:9151 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229151 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_9151_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_9151_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9151, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9151, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 9151 tcp \u00b7 via HTTP:9151 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9151\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00229151 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229151\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9151","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11879061,"ip":"34.77.25.38","ts":"2026-07-14 09:40:43.000000","proto":"tcp","src_port":56448,"dst_port":8123,"service":"http","classification":"port_8123_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u002215f4f9799fa92d8e7e5cb90724eb1ec2b33ec46f\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.091524560134753, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 8123, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00229fa83b631b47c2a330b4d59d07a14c0ec24c59e5\u0022, \u0022event_fingerprint\u0022: \u00228c4cc0a85bb618a9aa8e4ea283c10f174a30e749\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_8123_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u002269096c05c21c6c9b4ad796d0741b6148\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8123, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8123\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8123\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8123\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8123\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8123\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_8123_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223ccf9d81302abebdb55b3ff433e0bffa28d61ec6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8123, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8123\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 8123 tcp \u00b7 via HTTP:8123 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228123 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_8123_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_8123_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8123, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8123, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 8123 tcp \u00b7 via HTTP:8123 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8123\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00228123 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228123\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8123","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11878971,"ip":"34.77.25.38","ts":"2026-07-14 09:38:49.000000","proto":"tcp","src_port":57548,"dst_port":16010,"service":"http","classification":"port_16010_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00221cd2744106700ab51749a7c0080ba4d56bc0cbc6\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.094250257458573, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 16010, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00227d4df2fbc6f1d17454c03e12e98c266e349f1bb7\u0022, \u0022event_fingerprint\u0022: \u0022b2e07cdb958b18fd76da4c2826993ae15435453f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_16010_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u002292ed57092039d9111c396bf281eef8c0\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 16010, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16010\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16010\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16010\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16010\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16010\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_16010_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002249e554d7c46be605ec6264f42bbdd8296287f687\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 16010, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16010\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port 16010 tcp \u00b7 via HTTP:16010 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002216010 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_16010_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_16010_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 16010, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 16010, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 16010 tcp \u00b7 via HTTP:16010 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16010\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002216010 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002216010\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:16010","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11878947,"ip":"34.77.25.38","ts":"2026-07-14 09:38:25.000000","proto":"tcp","src_port":33920,"dst_port":2154,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022e42ba49705c0a70b16cc9285ee58bbf514d9c25d\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.097379032547585, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 2154, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022c55d2846c42a936fe47634f343f1b131428202a5\u0022, \u0022event_fingerprint\u0022: \u0022fb563a25d16e98d6f74a04a65a74431537f2b041\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022d9754170113eb27ebd430df60ca7ab4f\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2154, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220bafe2e1d6cc6c7f89fe7c2b2b93baf730080d1a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 2154, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:2154 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00222154 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 6}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2154, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 2154, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:2154 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2154\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00222154 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222154\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 4, \u0022port_scan_ports_sample\u0022: [2154, 2209, 9051, 16037], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2154","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11878911,"ip":"34.77.25.38","ts":"2026-07-14 09:37:48.000000","proto":"tcp","src_port":47466,"dst_port":9051,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00225c9f82b68feec1ad859b9a0517a23ef2de1afea9\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.105907200340986, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 9051, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00227c624603cb0c76c30b57c56930c6be7dc2c84f76\u0022, \u0022event_fingerprint\u0022: \u00221ea1b7f91fbbc1be7829010df3e3eaac65f4b90a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 44}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u002257cfd426bd343bbbdffb4ede2b4b16f8\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9051, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9051\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9051\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9051\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9051\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9051\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225574bf1592221412979fb6ea0db1ff8aa75e79b0\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9051, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9051\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:9051 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00229051 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9051, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9051, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:9051 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9051\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00229051 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229051\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9051","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11878906,"ip":"34.77.25.38","ts":"2026-07-14 09:37:43.000000","proto":"tcp","src_port":58536,"dst_port":2209,"service":"http","classification":"port_2209_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022112d583544f9f2afa452bd7f74af42d736b8de6a\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.096695022478339, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 2209, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022279c772457ab6c75181ad3e1cf06afcebd9efbd7\u0022, \u0022event_fingerprint\u0022: \u00223cb1ef9a8628fd353756c6bf457f60abdaa579bd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_2209_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00223feb7fef29ae095da8286c7d1ab08c2f\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2209, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2209\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2209\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2209\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2209\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2209\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_2209_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002282900db75980ecb84d8c4e5a85f7bfa81bbac5b5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 2209, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2209\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 2209 tcp \u00b7 via HTTP:2209 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00222209 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_2209_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_2209_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2209, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 2209, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 2209 tcp \u00b7 via HTTP:2209 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2209\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00222209 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222209\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2209","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11878902,"ip":"34.77.25.38","ts":"2026-07-14 09:37:40.000000","proto":"tcp","src_port":37942,"dst_port":16037,"service":"http","classification":"port_16037_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00220b81dea2e7a01377c2f4920d9b39ae3e4c453346\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.110511206612064, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 16037, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022ac9064987b633a480b597aa20340f235d9e74761\u0022, \u0022event_fingerprint\u0022: \u00224912103de4ae7b41d0b1140f19a6ac11e52b5375\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_16037_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022fb5c85b1fdc57319c80ffbf3d1d83929\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 16037, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16037\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16037\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16037\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16037\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16037\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_16037_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b38e6324d6f8d9f663f7a03677cb3f0ed52b3391\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 16037, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16037\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port 16037 tcp \u00b7 via HTTP:16037 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002216037 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_16037_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_16037_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 16037, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 16037, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 16037 tcp \u00b7 via HTTP:16037 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16037\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002216037 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002216037\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:16037","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11878862,"ip":"34.77.25.38","ts":"2026-07-14 09:36:37.000000","proto":"tcp","src_port":33440,"dst_port":5277,"service":"http","classification":"port_5277_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u002207ec9f6a2fa67842ff73d9b50fd3510e055fbf9e\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.1025494948911705, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 5277, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00226a8841c96e1294157450252d0e8a21921132fd1e\u0022, \u0022event_fingerprint\u0022: \u0022e0c456f67c8aec4de341b7558435caea1a9cddac\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_5277_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022c325bd62d9afdcda72c0716edd92432d\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5277, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5277\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5277\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5277\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5277\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5277\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_5277_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b4fdb323d05d9e38c0e839dc0761e9bb2f1b7d98\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 5277, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5277\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 5277 tcp \u00b7 via HTTP:5277 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225277 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_5277_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_5277_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5277, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 5277, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 5277 tcp \u00b7 via HTTP:5277 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5277\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00225277 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225277\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:5277","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11878813,"ip":"34.77.25.38","ts":"2026-07-14 09:35:50.000000","proto":"tcp","src_port":55068,"dst_port":8493,"service":"http","classification":"port_8493_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00225b01f8952c5a035daf40b0567f69473c931fc7c7\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.132620450545713, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 8493, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00224c6d92cef4755819a50e66d44e63a11f4b28292f\u0022, \u0022event_fingerprint\u0022: \u0022fd10d7b8afe000989aa8c2d09e68f5dd5e78195f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_8493_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u002233102afae932c62203dd325b4557e3f9\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8493, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8493\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8493\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8493\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8493\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8493\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_8493_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229598588a9aa266e8ce01b3a9ecf81faa125c3343\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8493, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8493\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 8493 tcp \u00b7 via HTTP:8493 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228493 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_8493_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_8493_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8493, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8493, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 8493 tcp \u00b7 via HTTP:8493 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8493\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00228493 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228493\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8493","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11878697,"ip":"34.77.25.38","ts":"2026-07-14 09:32:45.000000","proto":"tcp","src_port":48898,"dst_port":9002,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00229eb77341d923bf850a12632119cec98177710a79\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.1025494948911705, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 9002, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00221277799ac384a9764c4a87e7a4d6cf416e4d4817\u0022, \u0022event_fingerprint\u0022: \u002298bac1f317647fd8bceeccb4652d3c2172c9c50c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u002216c8df8bb528cebd1cb9df8cc5c6ba15\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9002, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9002\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9002\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9002\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9002\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9002\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d0c0c0cea9187a3d8eb495af607128db06b8c1e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9002, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9002\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:9002 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00229002 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 6}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9002, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9002, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:9002 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9002\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00229002 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 5, \u0022port_scan_ports_sample\u0022: [4243, 8015, 8556, 9002, 10254], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9002","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11878694,"ip":"34.77.25.38","ts":"2026-07-14 09:32:42.000000","proto":"tcp","src_port":34710,"dst_port":8015,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022dbbf72d8a10b0fde36c3fddd66a29360b9c4f477\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.105907200340986, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 8015, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00222b07cb4bd0a957231f68f250aaa96351f50480d7\u0022, \u0022event_fingerprint\u0022: \u00220d74d0ca05645b1ce87ddacedfb506774bfeec82\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022dacf8ecafa388d2a3831d3d0009ba46c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8015, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8015\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8015\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8015\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8015\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8015\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022600edac0b851fc9e46d2d0b423542278fcbc25ac\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8015, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8015\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8015 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228015 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 6}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8015, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8015, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8015 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8015\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00228015 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228015\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 4, \u0022port_scan_ports_sample\u0022: [4243, 8015, 8556, 10254], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8015","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11878691,"ip":"34.77.25.38","ts":"2026-07-14 09:32:36.000000","proto":"tcp","src_port":50228,"dst_port":4243,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022711ef871fd03b38fc167a96cbc6fc823a41436b9\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.096695022478339, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 4243, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002233ad9755c670e6b2d934a8b5996eb1fe4790ab83\u0022, \u0022event_fingerprint\u0022: \u00226cfb9d1bc0907934b6e6c787f62a0a18820f5c26\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 44}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00221fe2f30765992ba0f12a66dfdad7d0b3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4243, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4243\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4243\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4243\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4243\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4243\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c8fba8666b1d497883f07d631a07fd14afe3ecdf\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 4243, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4243\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:4243 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00224243 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 4243, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 4243, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:4243 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4243\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00224243 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224243\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:4243","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11878678,"ip":"34.77.25.38","ts":"2026-07-14 09:32:20.000000","proto":"tcp","src_port":46782,"dst_port":10254,"service":"http","classification":"port_10254_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022e61163d8289bc4f196a6ce615b2c4922021a55a5\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.107855699635443, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 10254, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a63df15c11066bbf71c4f350a9ad7b84404ac861\u0022, \u0022event_fingerprint\u0022: \u0022b872312ac969ceeab9b128779ef803810d11161d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_10254_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u002219dab7c7ddf5a7f605d1a2403449909c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10254, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10254\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10254\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10254\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10254\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10254\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_10254_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022329712a38601125d40d0223a54f5eee8d731b347\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 10254, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10254\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port 10254 tcp \u00b7 via HTTP:10254 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210254 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_10254_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_10254_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10254, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 10254, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 10254 tcp \u00b7 via HTTP:10254 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10254\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002210254 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210254\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022https\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:10254","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_web_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11878646,"ip":"34.77.25.38","ts":"2026-07-14 09:31:47.000000","proto":"tcp","src_port":48968,"dst_port":8556,"service":"http","classification":"port_8556_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00229855380f66f03c498d54d766c22b8988d70f08f8\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.1025494948911705, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 8556, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u00224e8a54d700301bb0d1f8dff2643a7b3386d1ce43\u0022, \u0022event_fingerprint\u0022: \u0022a0f960e1f8a3bc80925ff7f5ff47d2401b150be9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_8556_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u002215237f297c9716c1d04cf56a735d6d8c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8556, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8556\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8556\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8556\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8556\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8556\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_8556_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220a0fb1ad40fece729971d36768553986632fc0e8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8556, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8556\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 8556 tcp \u00b7 via HTTP:8556 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228556 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_8556_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_8556_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8556, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8556, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 8556 tcp \u00b7 via HTTP:8556 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8556\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00228556 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228556\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022elasticsearch\u0022, \u0022http\u0022, \u0022https\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8556","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11878593,"ip":"34.77.25.38","ts":"2026-07-14 09:30:39.000000","proto":"tcp","src_port":44852,"dst_port":16048,"service":"http","classification":"port_16048_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00222042cc518a85c2c3cec5c32140066d4c9e60d0d7\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 147, \u0022payload_entropy\u0022: 5.135066583989185, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 16048, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002228563bdf43d712e60993297fc1170d969a5383f8\u0022, \u0022event_fingerprint\u0022: \u002279af64b87bc9d554af05c7f9cc3b0f8df94487bc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_16048_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022217334b36a4430bfe9e2420c894e5daa\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 16048, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16048\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16048\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16048\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16048\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16048\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_16048_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229eed02594dd99c43b691712eeeeb97069aacaa96\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 16048, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16048\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022attack_vector\u0022: \u0022port 16048 tcp \u00b7 via HTTP:16048 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002216048 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_16048_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_16048_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 16048, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 16048, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 16048 tcp \u00b7 via HTTP:16048 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:16048\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnect\u0022, \u0022target_port_label\u0022: \u002216048 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002216048\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022elasticsearch\u0022, \u0022http\u0022, \u0022https\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:16048","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":147},{"id":11878585,"ip":"34.77.25.38","ts":"2026-07-14 09:30:33.000000","proto":"tcp","src_port":52330,"dst_port":7473,"service":"http","classification":"port_7473_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022c22a3d67e0f4d6ed66e510eff8ead941605e8fc7\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.118921820408727, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 7473, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022a475d9262ddfcddbb0535cd5c856b542be7e5ea5\u0022, \u0022event_fingerprint\u0022: \u0022fa4a89e3fa3dc6ee6562f1009c48efa62e5ac308\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_7473_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022606f0794db626bc93cc1f66abb3a028c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7473, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7473\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7473\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7473\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7473\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7473\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_7473_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229c67706ca464d6181a2853ea875f5a829f6bd7a2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 7473, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7473\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 7473 tcp \u00b7 via HTTP:7473 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227473 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_7473_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_7473_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7473, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 7473, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 7473 tcp \u00b7 via HTTP:7473 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7473\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00227473 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227473\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022elasticsearch\u0022, \u0022http\u0022, \u0022https\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:7473","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11878502,"ip":"34.77.25.38","ts":"2026-07-14 09:28:42.000000","proto":"tcp","src_port":51254,"dst_port":8102,"service":"http","classification":"port_8102_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u002212cd3243a8168824f53a85437c817335d54dc068\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.1025494948911705, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 8102, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002257a502c6ee25e79096275fdcb91d65e1abffd66c\u0022, \u0022event_fingerprint\u0022: \u00223254f8d39dca1d0776c46d04f0fc369b0e44d038\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_8102_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00226d1dfc9c5e41b3b45bb9fa0419835a22\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8102, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8102\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8102\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8102\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8102\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8102\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_8102_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225a73e7cb560f67e6bb20e5e0f87e1f89defa0ce5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8102, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8102\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 8102 tcp \u00b7 via HTTP:8102 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228102 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_8102_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_8102_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8102, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 8102, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 8102 tcp \u00b7 via HTTP:8102 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8102\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00228102 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228102\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 4, \u0022multi_protocol_sample\u0022: [\u0022elasticsearch\u0022, \u0022http\u0022, \u0022https\u0022, \u0022unreal-game\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8102","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11878489,"ip":"34.77.25.38","ts":"2026-07-14 09:28:26.000000","proto":"tcp","src_port":45172,"dst_port":2060,"service":"http","classification":"port_2060_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00224de4536579428ac58fb54ba9d2cc9f1b6abab530\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.088850864754183, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 2060, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002271fd462de2441546a33147248e1241eb00ed6db6\u0022, \u0022event_fingerprint\u0022: \u002212dcf9a0f0f8b6627132abb2d91adbc44f85ba20\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_2060_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u00229f7c6d42583676cce245dc1f1e51adea\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2060, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2060\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2060\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2060\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2060\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2060\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_2060_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022694072bdef5ac3757d73d908a7b45fc0f9d15aba\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 2060, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2060\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 2060 tcp \u00b7 via HTTP:2060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00222060 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_2060_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_2060_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2060, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 2060, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 2060 tcp \u00b7 via HTTP:2060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2060\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00222060 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 4, \u0022multi_protocol_sample\u0022: [\u0022elasticsearch\u0022, \u0022http\u0022, \u0022https\u0022, \u0022unreal-game\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2060","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11877111,"ip":"34.77.25.38","ts":"2026-07-14 09:27:29.000000","proto":"tcp","src_port":38596,"dst_port":8443,"service":"https","classification":"web_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.118921820408727, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 8443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ee1718673413d9545e04a504276fd0deb0f77bc5\u0022, \u0022event_fingerprint\u0022: \u002248aa5a12dd4150e072f6d3dd03f9143ac67f8d69\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e5162f398b5bb2a96a251769149115e8\u0022, \u0022path_pattern_hash\u0022: \u00224154520a4208b3f021f35a6cc1dd98ae\u0022}, \u0022service_name\u0022: \u0022https\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.82, \u0022classification_confidence\u0022: 0.82, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002286c334462672a2aecee2bba2e9479a04dffd4d61\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 82, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 8443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00228443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 82 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 5, \u0022multi_protocol_sample\u0022: [\u0022couchdb\u0022, \u0022elasticsearch\u0022, \u0022http\u0022, \u0022https\u0022, \u0022unreal-game\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":146},{"id":11876119,"ip":"34.77.25.38","ts":"2026-07-14 09:26:52.000000","proto":"tcp","src_port":42784,"dst_port":9200,"service":"elasticsearch","classification":"port_9200_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c\u0022, \u0022emulator_response_len\u0022: 172, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022d19a1b8472adabca1ee6e310101ca46b45ece34e\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.1025494948911705, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022app_proto\u0022: \u0022elasticsearch\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 9200, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 50.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022fe7ac2601ae2bf63d0f1dbab8f948418f30b0512\u0022, \u0022event_fingerprint\u0022: \u00228946f73ac8f1897ea3583eb2dafa77519abd1534\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9200_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022829bf77f0ff569e44e95d90851851522\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9200\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9200\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9200\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9200\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9200\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9200_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223d2c30d3627f7065c6725767ca5f9fffc9f9fa55\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022elasticsearch_probe_fr\u0022: \u0022Requ\u00eate Elasticsearch : \/\u0022, \u0022port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_label_fr\u0022: \u0022ELASTICSEARCH\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9200\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 9200 tcp \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229200 \u00b7 ELASTICSEARCH\u0022, \u0022emulator_service\u0022: \u0022elasticsearch\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_9200_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_9200_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022service_label_fr\u0022: \u0022ELASTICSEARCH\u0022, \u0022dst_port\u0022: 9200, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022elasticsearch_probe_fr\u0022: \u0022Requ\u00eate Elasticsearch : \/\u0022, \u0022port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_label_fr\u0022: \u0022ELASTICSEARCH\u0022}, \u0022attack_vector\u0022: \u0022port 9200 tcp \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9200\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00229200 \u00b7 ELASTICSEARCH\u0022, \u0022emulator_service\u0022: \u0022elasticsearch\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022elasticsearch\u0022, \u0022service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229200\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 4, \u0022multi_protocol_sample\u0022: [\u0022couchdb\u0022, \u0022elasticsearch\u0022, \u0022http\u0022, \u0022unreal-game\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_elasticsearch_probe\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9200","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_elasticsearch_probe\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":6,"bytes_in":146},{"id":11874874,"ip":"34.77.25.38","ts":"2026-07-14 09:26:07.000000","proto":"tcp","src_port":34994,"dst_port":9058,"service":"http","classification":"port_9058_tcp","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u0022311f1e788e6df1d5237f28c83620e191797dadc2\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.124776292821557, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 9058, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 20.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u002298d5ad90bc9ac60c26987f6cdcf3d32985fed97a\u0022, \u0022event_fingerprint\u0022: \u00224bcf4a7bbdb7069aa8974871063bebd000fbd711\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9058_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.63, \u0022classification_confidence\u0022: 0.63, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022web_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022cb54aef4c9d860c687b7597c0404edf7\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9058, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9058\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9058\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9058\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9058\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9058\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9058_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c2668e5d7e92abad3ff0f8f680f0c9764cbe408c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9058, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9058\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port 9058 tcp \u00b7 via HTTP:9058 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229058 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_9058_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_9058_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 63, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 20.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9058, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 9058, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port 9058 tcp \u00b7 via HTTP:9058 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9058\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00229058 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229058\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022couchdb\u0022, \u0022http\u0022, \u0022unreal-game\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9058","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146},{"id":11872666,"ip":"34.77.25.38","ts":"2026-07-14 09:24:47.000000","proto":"tcp","src_port":53930,"dst_port":5901,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022f343f9c1e6b4bd1214c9505270609d93a5a9cf43\u0022, \u0022http_host_hash\u0022: \u00223bbfb608d7b2ad2bc82b8c24a51d7684a5a1af3f\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.105907200340986, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 5901, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 30.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 1, \u0022campaign_key\u0022: \u0022ccb97c9f0544905442c5a44727fa4490994df9b8\u0022, \u0022event_fingerprint\u0022: \u002294978cdab46820e4a4eef4bab1c09f9e8c8836fd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f712d38ba9b9c286c823406aa572410d\u0022, \u0022payload_hash\u0022: \u0022e9c650f0875ab74098934cfd5de7075c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5901, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5901\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5901\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5901\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022scanner-ua\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5901\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnection: keep-alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5901\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a80de19612153e6aa858bb5a3b8c001ecad83bdc\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 5901, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5901\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:5901 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00225901 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 30.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5901, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022python-requests\/2.32.5\u0022, \u0022port\u0022: 5901, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:5901 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5901\\r\\nUser-Agent: python-requests\/2.32.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: *\/*\\r\\nConnecti\u0022, \u0022target_port_label\u0022: \u00225901 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225901\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 7, \u0022port_scan_ports_sample\u0022: [3953, 5901, 6581, 7779, 8549, 12335, 18034], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022couchdb\u0022, \u0022http\u0022, \u0022unreal-game\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_port_scan_slow\u0022, \u0022scanner-ua\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:5901","http_user_agent":"python-requests\/2.32.5","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022anomaly:scanner-ua\u0022, \u0022http_ua_suspicious\u0022, \u0022net_port_scan_slow\u0022, \u0022scanner-ua\u0022]","anomalies":"[\u0022scanner-ua\u0022]","severity":3,"bytes_in":146}],"total_events":137}