{"ip":"34.80.146.76","exported_at":"2026-06-18T23:04:23+00:00","period_days":30,"metrics":{"events7d":0,"distinct_ports":0,"distinct_classifications":0,"max_severity":null,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":69,"attack_stage":"exploit_attempt","attack_chain_stage":null,"threat_family":["unknown"],"recommended_action":"monitor","confidence":0.89,"risk_breakdown":{"waf":60,"classification":80,"behavior":0,"geo":40,"protocol":25,"novelty":15},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":null,"top_mitre_technique":null,"top_mitre_count":null,"executive_one_liner_fr":"risque 49\/100","campaign_hint_fr":null,"confidence_breakdown":[],"persona_hostname":null,"correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":89,"confidence_hint_fr":null,"sensor_role_label_fr":null,"tags_summary_labels_fr":[],"tags_summary":[],"attack_vector":null,"protocol_details":[],"protocol_summary_fr":null,"evidence_snippet":"GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:8445\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; I","target_port_label":"8445","emulator_service":null,"confidence_reason":null,"classification_reason":null,"classification_reason_label_fr":null,"confidence_factors_fr":null,"payload_preview":"GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:8445\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; I"},"events":[{"id":8239724,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59598,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/project\/settings.py","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022py\u0022, \u0022http_ua_hash\u0022: \u00228df500ea0c8da1770772a4a1944be3c3395e2bd2\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u002211966cc72e0bfecaa733acc41e44392e18b681e0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.410946011720039, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u0022b5e26d85c5d595694141f714048b5ba632f26bef\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022939c38da5eef38b1d273a1d1edf3405a\u0022, \u0022payload_hash\u0022: \u00227a93fd5dfeaaacaa5cd3fc770d8736d1\u0022, \u0022path_pattern_hash\u0022: \u0022c29c8a7c1efc84947f863a90ed9e7db7\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/project\/settings.py HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKi\u0022, \u0022event_signature\u0022: \u00223c9bc1e0c5e2a65cf4aef4a856587b574a270bde\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":260},{"id":8239725,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59614,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/system\/application\/config\/database.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00228722e02703dc1bbf95cbc71c136b8a1b4f99dd1c\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u002224e56dc80b8c9895dd6363dc3d163c6ca2669cf7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 308, \u0022payload_entropy\u0022: 5.387319383712491, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u0022a8e7b67c3db7aa07b1d468f81972cb0ea748c428\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222cc5e979b4aa5d7571892cda12c371fb\u0022, \u0022payload_hash\u0022: \u0022e3b08ef198019eaa438773271f49f119\u0022, \u0022path_pattern_hash\u0022: \u002270f588a640b3de59a5428f938c259cab\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/system\/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-\u0022, \u0022event_signature\u0022: \u00225255dad0e16e419d71366553ffe8ba4b562551f9\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build\/R1FA016) AppleWebKit\/528.5  (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":308},{"id":8239726,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59628,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/application\/config\/database.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00227c576cecf6b5adb4ba90ff81dfa87d1b2eb496a1\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00228f66bcac490da91a090f4ece11b5c64553bb4b4b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 279, \u0022payload_entropy\u0022: 5.353485726009494, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u0022828e867f242b5235bd47e46bdffcb514ef32a267\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228c877f44b51be3e9a96b4f00bc24d343\u0022, \u0022payload_hash\u0022: \u00221fa339c1dcc354015ee227fd3343f653\u0022, \u0022path_pattern_hash\u0022: \u00229be613508ad3f2d1b1d0632e2eb595e3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/application\/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plu\u0022, \u0022event_signature\u0022: \u00222ce729396262f45a9e6ad608dc64914656fea551\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.0.0; moto e5 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":279},{"id":8239727,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59626,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/application\/config\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u002213330a7d3aaee1569dd7ceebc04360c8b673fb08\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022ab5bb68257f1fdd1dfa4915fa7104485b044a078\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 254, \u0022payload_entropy\u0022: 5.41358552645004, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e99c9e39cd8f84dc03fe072b40e275e12701c58f\u0022, \u0022event_fingerprint\u0022: \u002250b0c3cc95fc8145317ffb23a875942ba0594916\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228790bcb5c8899608c144ab0e4b52234f\u0022, \u0022payload_hash\u0022: \u0022fedceae98f2f34ceb44c99a68dc732cb\u0022, \u0022path_pattern_hash\u0022: \u0022b6440fe574333494578eac2496976a1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/application\/config\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.\u0022, \u0022event_signature\u0022: \u00225194cf3657f767c7fd16e83a68e3cb122f740309\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":254},{"id":8239728,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59646,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/WEB-INF\/context.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u002200f19c4fac3ab32681e3031df81b790b45976f76\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022f96fa52b403933e653406cfbc2173d513c6762a6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 266, \u0022payload_entropy\u0022: 5.455224598350392, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u002212e7b8ebc89f7ff647f2383769b5a1e731d66b94\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c3f9305fc755f7c6f568137ca38c8155\u0022, \u0022payload_hash\u0022: \u0022d0d5e67eebad3b00187705ab2a2c2017\u0022, \u0022path_pattern_hash\u0022: \u00220cc3084c1a2704ec60a7fbee65b65cb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/WEB-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; rv:75.0.3770.67) AppleWebKi\u0022, \u0022event_signature\u0022: \u0022f3b78c4fe9c6726ad7c8e12595debac0cd82776a\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; rv:75.0.3770.67) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.67 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":266},{"id":8239729,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59652,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/WEB-INF\/classes\/application.properties","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022properties\u0022, \u0022http_ua_hash\u0022: \u002243dd5b020d7c728bb8611214e76f224f4d597d7a\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u002210b2e06ee448a350a7e1543add2e5ae160c495e4\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 279, \u0022payload_entropy\u0022: 5.425648807779646, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u0022ac7bff077af39c7cc845a7c507d80585cca95f34\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228553bb27591661bbc013aa7b2b546227\u0022, \u0022payload_hash\u0022: \u002269a4915c0001383f62cd074cb502d146\u0022, \u0022path_pattern_hash\u0022: \u0022f8e656368886c0ce42a00ebbaba2414b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X \u0022, \u0022event_signature\u0022: \u0022a0102c78099f7253b79fd16ba2cd2b1d682c688b\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":279},{"id":8239730,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59638,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/WEB-INF\/web.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00224bd3855e36bb2f4d60e680a79cfff6901b050f5c\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022294983df7ad5a41b7a3548dc9a0ed2f5cf075040\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 248, \u0022payload_entropy\u0022: 5.497325858137813, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u00224faf1e8e1fe209c94c8a713f4d8c1dd7e39aded7\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022722035bce911dbc5ae63dd88f4049f8e\u0022, \u0022payload_hash\u0022: \u002215e7fb8b2086d77a888a9867b4e3db27\u0022, \u0022path_pattern_hash\u0022: \u00222d380bdeba64643ea1e25f4789b575b6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/WEB-INF\/web.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K\u0022, \u0022event_signature\u0022: \u0022f7df0afae53b638c6908578dd795f4bd6464c919\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.81 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":248},{"id":8239731,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59668,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/META-INF\/context.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022de0a50b91b833e8ccbb3917bd04b4de46a5f3a7c\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00223986bf7cda9cc4c51e53512817fc8584b30172b0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 263, \u0022payload_entropy\u0022: 5.462183755564114, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u00221668a7d658882dfbad74ff84f975931a07e88419\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223132d103f48399f1be29a82ad9cda74d\u0022, \u0022payload_hash\u0022: \u0022cd2edadff7efef8a5a4ecda0772d00ce\u0022, \u0022path_pattern_hash\u0022: \u002230f764f600e5073ae934f34b2b98acc2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/META-INF\/context.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3 XL) AppleWebKit\/53\u0022, \u0022event_signature\u0022: \u0022e2f0f45a218d50b1fe3b7781f5d95e4a5808ee91\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; Pixel 3 XL) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":263},{"id":8239732,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59692,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.idea\/dataSources.local.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00220ac6c32052b79ada08050660ed77cfbcfabe1bd8\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u002269f35c14ff491b04a05fe95ac539edbead309c12\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 233, \u0022payload_entropy\u0022: 5.3610797559075, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u0022a7c6422f4c657c6dffd5baf95f2c481cfc3fb963\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221cd2887717204bbacda8fe046d5bf249\u0022, \u0022payload_hash\u0022: \u002257f16807637aeb033983bf2d19664169\u0022, \u0022path_pattern_hash\u0022: \u0022921ea8e3058ced1425d3fb1a6683e728\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.idea\/dataSources.local.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1\u0022, \u0022event_signature\u0022: \u0022002415018589c1179c9731bfb8021bccf4debef2\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) Gecko\/20110123 SeaMonkey\/2.0.12","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":233},{"id":8239733,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59682,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.idea\/dataSources.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u002279f94713fcadaf79823af4a7dc9d476c6b059d1f\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022d8b4f1d4ad149f189f1e83b2ee85c58600df146c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 263, \u0022payload_entropy\u0022: 5.461753759616188, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u0022bc60ab67a076325363b11f10807a496f21a0ce1e\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a3460cc6bd7abd2e66cc2b6552b2f76b\u0022, \u0022payload_hash\u0022: \u00227db1102bcc3d344b11aac7f64b2688be\u0022, \u0022path_pattern_hash\u0022: \u002245b1a6f2cf9945ad18514ad77ffdd93e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.idea\/dataSources.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM\u0022, \u0022event_signature\u0022: \u0022c352e5b2c8698186aba675bbd937308160639199\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.59","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":263},{"id":8239734,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59710,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.idea\/workspace.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00222b98b4a110bfad5cf6fac30f510c4af8cfc617d0\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022dcd10abd9e64a56ef60f2096a44fceab68d89da5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 249, \u0022payload_entropy\u0022: 5.421060892708252, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u0022e7f255107b9fcb8b3b82e17d761bc6c03506d5f9\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022015e075b42fd9c97293b62af91170e9f\u0022, \u0022payload_hash\u0022: \u00221c8d8ea9ff70f64215d166b4db7e41c3\u0022, \u0022path_pattern_hash\u0022: \u00225704ec26c04e317ce2b2911c876a5465\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.idea\/workspace.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (K\u0022, \u0022event_signature\u0022: \u0022343073f26184c50669c11f5107c7241fcc19d1c3\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":249},{"id":8239735,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59714,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.idea\/deployment.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022475f9ece62a7dcdd67805664bfc891d7a6ee6cc5\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022ff773c35f260c28fb8b1bfb4252a50f6e0022b05\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 236, \u0022payload_entropy\u0022: 5.425898576319036, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u00223daf129818985a8f62c4e817b694d4bbfcc8656b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225ce0ceb4be04b725af2f4dcab1b60b6b\u0022, \u0022payload_hash\u0022: \u0022a6b1ca14db3ab088336b58ecd9f6cc2a\u0022, \u0022path_pattern_hash\u0022: \u002236b6d965d63f408f7c773a687ac24612\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.idea\/deployment.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527  (KHTML\u0022, \u0022event_signature\u0022: \u0022d31f76f2d3d868b64c324a8e3ed0888704cdc9ec\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527  (KHTML, like Gecko, Safari\/419.3) Arora\/0.8.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":236},{"id":8239736,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59700,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.idea\/WebServers.xml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u002261c975e289051418f310f4707a9a210f4f3d6612\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022732626ecbb27c33e1b5cffe507928daff3e1ffcb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 257, \u0022payload_entropy\u0022: 5.393245185116003, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u0022c93962cb012cd75ab3a67665159c777b4842dbe1\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e2b5f30394d0648f3c813bde0e861966\u0022, \u0022payload_hash\u0022: \u0022418474cc9241200ff7f3f6a9be424d4f\u0022, \u0022path_pattern_hash\u0022: \u00223ef5b863418297cf1b3afb7572309761\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.idea\/WebServers.xml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebK\u0022, \u0022event_signature\u0022: \u0022b243315744d4c36ba1efc0dcc4ae8a0fce3e6ba1\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/602.1.50 (KHTML, like Gecko) Version\/10.0 Safari\/602.1.50","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":257},{"id":8239737,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59728,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.vscode\/sftp.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u00229aeccaa7bdc0439829b125e59d7df5cb1d00f025\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022a7b754a65cd3a72c45519ffad56ec4883c279ab1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 278, \u0022payload_entropy\u0022: 5.458207456342214, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u00224188fb201503f41083fa7bd715d4de5b94568e10\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ac7c8da3241a34ed1c17cc411c48aee8\u0022, \u0022payload_hash\u0022: \u0022502f70ef2fa39d31bccf1118c11e4f6a\u0022, \u0022path_pattern_hash\u0022: \u00224379ee7559d68deac5f1bf414dd60187\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.vscode\/sftp.json HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/\u0022, \u0022event_signature\u0022: \u0022d9a61f5fbcaf47b02a3d22c5ddcb7dc56cf32b88\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.110 Safari\/537.36 Vivaldi\/2.7.1628.28","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":278},{"id":8239738,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59736,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.vscode\/settings.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u0022a42233fa64047e2118a9f302b54341e3297d2a4a\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00228f13238caccb97889bb93a57a58c8206b67c85b5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 245, \u0022payload_entropy\u0022: 5.419320797570221, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u002240626a783c5b6fe5ceb0870f48234e40d48f91fc\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c19fc101f73d0a7b96a170ae2f396b67\u0022, \u0022payload_hash\u0022: \u0022f2c8c38be74c6e3b12dba355c495c1af\u0022, \u0022path_pattern_hash\u0022: \u0022f5f67949e6b52d5014abefc02d1fe9f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.vscode\/settings.json HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM\u0022, \u0022event_signature\u0022: \u0022a93c757e539148d4ecd7bf899047a2dcadff60c2\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":245},{"id":8239739,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59740,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.vscode\/launch.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u0022f47b9a59f83ff87c1c152341369541a64e22a21e\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022f955acacb64b027ce0fe999c2601f7358bc4da5a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 244, \u0022payload_entropy\u0022: 5.347378147211708, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u0022af81eaa63b3d7fb1888ba4e98a20cfea5f7ec2ec\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f9311593796430f2654628d24dd80f1a\u0022, \u0022payload_hash\u0022: \u002221424b4e26d196760e82baf6fe7b8d82\u0022, \u0022path_pattern_hash\u0022: \u00222ff6c8576629cb803256f3fb9cd546fa\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.vscode\/launch.json HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b6pre) \u0022, \u0022event_signature\u0022: \u0022d5919af3024fdfe449ff0c2501468e5059fa7c13\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b6pre) Gecko\/20100907 Firefox\/4.0b6pre Camino\/2.2a1pre","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":244},{"id":8239740,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59762,"dst_port":8445,"service":"http","classification":"flood","waf_score":6,"waf_tags":"[\u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.travis.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u00228f53eaa75621c51a7bfaf635058b616d3b318a17\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00220f539eb712332002814a106c4304479b90529490\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 221, \u0022payload_entropy\u0022: 5.371391516215091, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223ed2702e722869828b7a86161427c6b53228e1b4\u0022, \u0022event_fingerprint\u0022: \u002209c0480c3ee47e43513d780e1c18de43501b8c71\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00224eed10234d36f21c9391620818cedf68\u0022, \u0022payload_hash\u0022: \u0022fab1f492ac5915c44ef6dae0d22309b3\u0022, \u0022path_pattern_hash\u0022: \u002231215e4931d9a8bb956098a35abb0b27\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.71, \u0022classification_confidence\u0022: 0.71, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.travis.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Nokia6630\/1.0 (2.39.15) SymbianOS\/8.0 Series60\/2.6 Profile\/MIDP-2.\u0022, \u0022event_signature\u0022: \u0022c2ef3f9ae57bea102580b5fbcee0ae0ec5e46c3a\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Nokia6630\/1.0 (2.39.15) SymbianOS\/8.0 Series60\/2.6 Profile\/MIDP-2.0 Configuration\/CLDC-1.1","http_referer":null,"tags":"[\u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":7,"bytes_in":221},{"id":8239741,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59744,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.gitlab-ci.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u002278b3da388f07125922275ece3097b6f15cda702b\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022438af05b92495206533fc223d46e511d40c32485\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.415527542914793, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u0022c1f7dc08b530a2a63bce24c1fcc89cd26ce87a5a\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222fe5bca2bb102783ce93b1df880741ca\u0022, \u0022payload_hash\u0022: \u00223f8be2682f26dc3b7288c2bd73dd4dbf\u0022, \u0022path_pattern_hash\u0022: \u00221c248e6546ed96558dfcda198b4e61ef\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.gitlab-ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.\u0022, \u0022event_signature\u0022: \u0022084b98a8c1bdf74ebebc35aad412068e6e2f1ce2\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 5.1; Lenovo P70-A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":261},{"id":8239742,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59748,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.vscode\/tasks.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u0022ebeac4f2a4c30f7c6074d7015694432d602e90a0\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u002292e911a3df5ad35698662851e6649fca8b9cc765\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 253, \u0022payload_entropy\u0022: 5.407518143317875, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u002249b893d6d0b4fb10cf2fa50d065991a4cab8cf74\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220fd2c9c689a946cdeedd9f43588342bd\u0022, \u0022payload_hash\u0022: \u00223fd20029d9373107b6bf9c8483e07a8c\u0022, \u0022path_pattern_hash\u0022: \u002271d0e06039e234c8f571eb83415e4643\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.vscode\/tasks.json HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3\u0022, \u0022event_signature\u0022: \u0022bfe8af89cfd3e0c59c7e872c86ee92dfb9c233f2\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":253},{"id":8239743,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59776,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.circleci\/config.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u00223fd1bcce03849635e382152580bde083ef2a18c5\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u002242ed80c065555149f59c15145f7ae964b6a99b5e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 276, \u0022payload_entropy\u0022: 5.383073438136271, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u00223e11726033236d2452cf3eb70c1c6e5c5eb785e0\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222d68f820c3f8d9d6b18369b0fcbb7c7d\u0022, \u0022payload_hash\u0022: \u002261417eeaaab720e3f8ea31b5949e8221\u0022, \u0022path_pattern_hash\u0022: \u0022b893b0eec412648d41158b9ec6bd21e4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.circleci\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) A\u0022, \u0022event_signature\u0022: \u00226881231faa754d68b1aa3c9a109365c311d3bff9\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11D257 Safari\/9537.53","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":276},{"id":8239744,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59782,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.github\/workflows\/deploy.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022ed9b215da6d1db83e11a82875289d9e0c24c2f00\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00229a980960a1dce8601282270803934f12c1e6c3d4\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 270, \u0022payload_entropy\u0022: 5.458187027683402, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u0022bf01d9edd95129ba890142fbaf395747f02b69ac\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002202f8c8c2155f15629f33f94563e29f52\u0022, \u0022payload_hash\u0022: \u0022a4e577de8fa0d5e286d3061bb56a88fc\u0022, \u0022path_pattern_hash\u0022: \u002276cfbca880390f07dc02774a92e03828\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/deploy.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Nokia 7.1) AppleWe\u0022, \u0022event_signature\u0022: \u00222eff643165ec36a83ebc7443858bbe75638f0fb8\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; Nokia 7.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":270},{"id":8239745,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59796,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.github\/workflows\/production.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022817b6e02975fea3c88f74aadbd5eb34449fef166\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u002238eaa565ff94c56233c59ea6d104fdaddcc93cea\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 269, \u0022payload_entropy\u0022: 5.452512010312878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u002203d11e015e92cb6651de06e4b63f39f39c2dfe86\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228686d78360420381c99fa55464a3da9f\u0022, \u0022payload_hash\u0022: \u0022de1b30dc8ab8f5de8bebc9a010159763\u0022, \u0022path_pattern_hash\u0022: \u00229eba29b7a547d56eaba268ebadba8373\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/production.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 6) AppleWeb\u0022, \u0022event_signature\u0022: \u002299d126e18822fcfc353352f45c43a958f7a7fc4c\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; MI 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":269},{"id":8239746,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59786,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.github\/workflows\/ci.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022942f895bfa8fcae202e82f3c021e5feda394a90b\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00223ec364769fb4698cfcca7031daf28214f8708060\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 285, \u0022payload_entropy\u0022: 5.552733922599075, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u0022f7bf75a9fbc45ce131ab4fd30ad2d0e4316b0411\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a811f0c560a5a9143d74c74ca2c02bbb\u0022, \u0022payload_hash\u0022: \u00228627c97f4b0f2f4083d501acfd44f093\u0022, \u0022path_pattern_hash\u0022: \u00220bac82c8c4461b7e2eb48cd6eaefa7e9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/ci.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEI\u0022, \u0022event_signature\u0022: \u0022ed106454162fb4c97c9b69989e0aa5e0c2d6e8f7\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 7.0; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.91 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":285},{"id":8239747,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59816,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/Jenkinsfile","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002215bd6428650e800f0f18253d305d7357c2904542\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00226196821c9b59b6ceb2d7ccd4d35e939ea59e7ed4\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.422449373106885, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u00221dd2e0a5406b4cace97152028369d0b1c1487587\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002236561c273fe6f4a71c6ba6c398f569ef\u0022, \u0022payload_hash\u0022: \u002273d460fe7322574c718fb7fef9422856\u0022, \u0022path_pattern_hash\u0022: \u00220d4eaf992f1a72b02518b7d952191a55\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36\u0022, \u0022event_signature\u0022: \u002269bc1be9f49d2e27a3279af84689be24ae114e26\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":252},{"id":8239748,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59826,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/jenkins\/Jenkinsfile","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00224daf44a7787894dfbebd9ba0928f1703d6298021\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022171840fe47dfd6f2d76e0b80f11136ea038cbc5d\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 259, \u0022payload_entropy\u0022: 5.448729182508375, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022840bb691087edb2bdda2aa84908ed91742bc047e\u0022, \u0022event_fingerprint\u0022: \u0022b95befbdcbea107f2dcdc6360b24c9cd1f5a00cb\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022927c41fe7d780065652b5a445304b857\u0022, \u0022payload_hash\u0022: \u00222d66ce149d9d391357d6cda684ef2e17\u0022, \u0022path_pattern_hash\u0022: \u002240125f4f361452a7111c9b4a9dc1dfb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/jenkins\/Jenkinsfile HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36\u0022, \u0022event_signature\u0022: \u0022b49a758ec5269cbe39eda097f5906bbe18960f54\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_jenkins\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; POCO F1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_jenkins\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":259},{"id":8239749,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59802,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.github\/workflows\/main.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u00222e2c19c1d95990a188ae2dc3e112475ddb923307\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022235caf8bc184fcd8b7671c244cc53e88d83bf97b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 267, \u0022payload_entropy\u0022: 5.476156500495511, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u0022cbba5017f9019ea996141af25433a1b18d3d3e73\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220fc9f1f9e51b48f63de3565001461eb9\u0022, \u0022payload_hash\u0022: \u002238c5afab8a9f914fe52909f57087ef94\u0022, \u0022path_pattern_hash\u0022: \u0022e05ba7286924149fefd56c25594fa0c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.github\/workflows\/main.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKi\u0022, \u0022event_signature\u0022: \u002279a863894a3ab433255de7e13622b476a314ace1\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":267},{"id":8239750,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59840,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.drone.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u002267cd2aa88754575f856c2edf38d4b5159963a959\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00221954ac9283af903ae4a6de319bd93df245fb035e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 259, \u0022payload_entropy\u0022: 5.409989873858554, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u0022721ce21213ba734c53f2708b677ff7fc6f2997ec\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002257322d07efe3c4afc6e4b5dae3823bbb\u0022, \u0022payload_hash\u0022: \u0022af113d3fa87ca76c6ea2202f7956aeba\u0022, \u0022path_pattern_hash\u0022: \u0022f74d63edd884e7a9299ad52f54b46b61\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.drone.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36\u0022, \u0022event_signature\u0022: \u002267977437cb3291f0185171fcc6dcf67cf94713d6\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":259},{"id":8239751,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59852,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/azure-pipelines.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u002262972c4b6e969173d3b40d9b26809dd2c43da40b\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00228bacf7ba189e1d49695131e01ec30c1752198ab0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 225, \u0022payload_entropy\u0022: 5.381594404543816, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u0022d2e555b0a61d45b795b510a1d0c90899d17bfc76\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002221ac16a59755f501be526ca408ba127f\u0022, \u0022payload_hash\u0022: \u002255c4dbcb5bf49a2260760a079f53e400\u0022, \u0022path_pattern_hash\u0022: \u0022d76578f2ff8c409283f48927713c6e3e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/azure-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko\/2012042\u0022, \u0022event_signature\u0022: \u00220392173e14f20e33eedb3ba42ad92532f4159716\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko\/20120422 Firefox\/12.0 SeaMonkey\/2.9","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":225},{"id":8239752,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59848,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.drone.yaml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022yaml\u0022, \u0022http_ua_hash\u0022: \u0022329b57f0c63ff8aaabab5a13dd83c43ae717d24a\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00222dde7c7ac3e6a210a636b7b4438f90ddd70a6f86\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.339926090371122, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u002217ad0eb2758357b9163608c6fc4dabfefd106216\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e1bbf2fdbf5a204510f8f30f34e5c41d\u0022, \u0022payload_hash\u0022: \u00226376228ad4cb5eff10ac36c4a7c89bcd\u0022, \u0022path_pattern_hash\u0022: \u0022375bdd2accbc560de2cef140cdb7ad08\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.drone.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0\u0022, \u0022event_signature\u0022: \u00222f956b58b2b68486f05c513e4d0bf56d864baad1\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20120502 Firefox\/12.0 SeaMonkey\/2.9.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":213},{"id":8239753,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59876,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.buildkite\/pipeline.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u002215cc1723a3ce8ee306d5c4f643d431e2a0eced2e\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00224bafbac6a6a3a3e498ce6febcc708140823e7542\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 262, \u0022payload_entropy\u0022: 5.395803788988233, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bcbd4b224af385400f6f89ee622bc588d34fed0f\u0022, \u0022event_fingerprint\u0022: \u00223cd48c60cb4b122efec50019a6995518f5e2a396\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022245bcf4206818c052aa9ddaa62cffd5b\u0022, \u0022payload_hash\u0022: \u0022d832c9254eb111d2cf49de6e687a7297\u0022, \u0022path_pattern_hash\u0022: \u0022483e00e02486581ed9691d00f40bae15\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.buildkite\/pipeline.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 2) AppleWebKit\/53\u0022, \u0022event_signature\u0022: \u0022af769c147230626f4d93f010fe2abafe50ac6442\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; Pixel 2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":262},{"id":8239754,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59860,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/bitbucket-pipelines.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022c3708ddffda158b60c7af1a91573c085b9df8a5f\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022e18939aa25137b140957dface586fa6d87f55246\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 263, \u0022payload_entropy\u0022: 5.434692728850024, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u00228c1bccbb2b06427728bd0cad3689e0f3c15d7c34\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ac5763ea881ba74e1ca97ecfe525f218\u0022, \u0022payload_hash\u0022: \u002268337f87019d5f469d1a8237281131a3\u0022, \u0022path_pattern_hash\u0022: \u00227196cda3d0ac0fc416539ef0a94d0999\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/bitbucket-pipelines.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleW\u0022, \u0022event_signature\u0022: \u0022dcf7da77c5fece8b9c8aa8305364d31a811297e8\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":263},{"id":8239755,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59882,"dst_port":8445,"service":"http","classification":"flood","waf_score":7,"waf_tags":"[\u0022950326:rce-0\u0022]","http_method":"GET","http_target":"\/debug.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022964f0361d4e043d42a0314c4bafe9f6c73442dff\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u002277d9f648329aebdef206c4b1d63546db6147ce3b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.301796664566389, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 36.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 36.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f99600d1ec97bfd45af95cff298c10ec1ae53ab3\u0022, \u0022event_fingerprint\u0022: \u00227dd49f10d70bad4c57062225e7eeeb7b7b0c0c8e\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022cfa9df766df352ee0c2ee76a6124a01b\u0022, \u0022payload_hash\u0022: \u002244bd1e314e8b03e60ade4a5e1383207b\u0022, \u0022path_pattern_hash\u0022: \u002255839acef8bcadd99e7e1a1cdf75a15f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/debug.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/1.22 (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1\\r\\nAcce\u0022, \u0022event_signature\u0022: \u0022878697a02dbbab18aa3b24d6c4b2d0188d7b79b4\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/1.22 (compatible; MSIE 5.01; PalmOS 3.0) EudoraWeb 2.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":7,"bytes_in":191},{"id":8239756,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59886,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/error.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u00229f7223657a85ea31378cbb521a1b79583c992e80\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00224bf2a42fc3c47a9cd3c9f83a2dcc96b460ea695c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 249, \u0022payload_entropy\u0022: 5.385334227424729, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u002275ee514593a14cc2e0c921c62172d02f64687bd4\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002200beee261c4d9153220cd766ec54f74c\u0022, \u0022payload_hash\u0022: \u00220a9c9b69ed9ee809b237e35bd3457485\u0022, \u0022path_pattern_hash\u0022: \u0022377fe372f5c11075aea15748100afc0d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/error.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (\u0022, \u0022event_signature\u0022: \u00227e751959b4ca1cdc3031a5f4fa8ee725eb0ef94f\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":249},{"id":8239757,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59884,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/app.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022fa04af9816f0793fdc1a867eef08c9bba4602d70\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022bd1d5b79d00a082701f913befabe9ce3bb41a839\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.28167943762117, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u00222e9073b3d1fb0882500262cd1b08db098015881e\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022019e2e1e34358ddde0b0e9ce516b2815\u0022, \u0022payload_hash\u0022: \u0022df2bd690b15ad67d3911156b06619fb5\u0022, \u0022path_pattern_hash\u0022: \u0022705676047b0602f87a6c259c895bc0e9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/app.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1\u0022, \u0022event_signature\u0022: \u00228a2a94171914da59437de177748ccf258f77ec58\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (X11; Linux i686; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1 SeaMonkey\/2.7.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":213},{"id":8239758,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59898,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/access.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022fe380f58437657749c87a73f76231884ab0bd539\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u002263438c908367e4f8041717ab279c4d967e15af99\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 265, \u0022payload_entropy\u0022: 5.468410944152527, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u0022b1da3376a84f4cde12fa9b22fb312c942638a245\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d70dd77b2a366de2bc9f0b69ff1b13a1\u0022, \u0022payload_hash\u0022: \u0022d5f22ac4da93d65cc5dd0bda7d50b74c\u0022, \u0022path_pattern_hash\u0022: \u00223185fcf0045ab357f9b5c65f6fd9ad4d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/access.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022event_signature\u0022: \u0022479a389786b6b193e6dd72b775700bc8f76963aa\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/74.0.3729.169 Chrome\/74.0.3729.169 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":265},{"id":8239759,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59910,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/server.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022ac8d6ca0a1e127aabdcbb18abe76f91776646dc5\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022437770240dcc724c5033b3c158c576b84dde4de1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 202, \u0022payload_entropy\u0022: 5.277588767799518, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u002211ea034d4106fd64736b97238693b0920464bb15\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002270804c27d8f31549abbe90e5b29d2c15\u0022, \u0022payload_hash\u0022: \u00224099b4e774bcfd541886223420d8f4c3\u0022, \u0022path_pattern_hash\u0022: \u00221bb66c038c973622f0056a763496f9ef\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/server.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; rv:68.0) Gecko\/20100101 Firefox\u0022, \u0022event_signature\u0022: \u0022acd997c884a8afe84db215b4391965dab2d8e83c\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; rv:68.0) Gecko\/20100101 Firefox\/68.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":202},{"id":8239760,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59918,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/laravel.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u00220a0bcefa87413ca5dc0d5c25734336832c15bdf2\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00225dd8c8bb33603d1ad2c91357a5bdf5e4a77e2fda\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 196, \u0022payload_entropy\u0022: 5.2845147042105145, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002223c34b7b8d0f0f51b819a1c83435c79c47ed9413\u0022, \u0022event_fingerprint\u0022: \u0022b1f9a1faac0ca5be2cee0d45f41327d2bf03f446\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225921f6b1c7926384d75f8f881a2569ee\u0022, \u0022payload_hash\u0022: \u0022afddeead60aa6ab27f7efaceda1dc577\u0022, \u0022path_pattern_hash\u0022: \u0022e42ca631e5a6c090d1fddca82a4d1723\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/laravel.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (compatible; YandexNews\/4.0; +http:\/\/yandex.com\/bots)\\r\u0022, \u0022event_signature\u0022: \u0022de87d2b3c0f5140a632d9c76161526d7105de337\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (compatible; YandexNews\/4.0; +http:\/\/yandex.com\/bots)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":196},{"id":8239761,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59922,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/application.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022d5494fe16df11ab5f5d2c945da5478c2861a6327\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022194ffa296bf5bf546445bc77a4914a3c16983759\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 220, \u0022payload_entropy\u0022: 5.261397166926366, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u00223c7340d244d255154707caa3fc9b3db84c591131\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002275c159c7e8d01603c84d35f769c53185\u0022, \u0022payload_hash\u0022: \u002220b33c095d686ce7dcc3fd872e05b787\u0022, \u0022path_pattern_hash\u0022: \u0022162fef3d3c20397fd9e19a55bcddfa03\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/application.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox\u0022, \u0022event_signature\u0022: \u0022d592b8d1027bc9788ba0b1c6cb839cab06df8110\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Windows NT 5.2; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1 SeaMonkey\/2.7.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":220},{"id":8239762,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59944,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/trace.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022dea1a61ddc30695aca1aeaf2a046fb6ead36931d\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00220306f640cbfe7832e364cfa8aaa4495e8ef14f08\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 245, \u0022payload_entropy\u0022: 5.432187184000911, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u00223e081ed431894af8646c458d628f678b61fa3a54\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002203f070ae78a93490e9b479f8fa2b0e91\u0022, \u0022payload_hash\u0022: \u002261f10f204b10a9b2ef36aa12bd423956\u0022, \u0022path_pattern_hash\u0022: \u0022f8d80e9ce78cc8d6e0404ba95f5bd5a6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/trace.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (KHTM\u0022, \u0022event_signature\u0022: \u00226ffd2e422a31ccaf6900b02ab030b314516d2fac\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (X11; U; FreeBSD x86_64; en-US) AppleWebKit\/534.16 (KHTML, like Gecko) Chrome\/10.0.648.204 Safari\/534.16","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":245},{"id":8239763,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59930,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/logs\/debug.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022aa4c6891ed84895612f24c43fa8ccb843a2447a3\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u002203e204e4d1092f0f3982669317d2eb101a33266b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 229, \u0022payload_entropy\u0022: 5.3347006705374005, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022509574a0ad6ce207b82efeb37bca1bf6037ae646\u0022, \u0022event_fingerprint\u0022: \u0022fff2c95a21a67d0bfaab262a3b85ab14cce074e3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022564613f0c7e98a0c62a60e6fdecaf4c5\u0022, \u0022payload_hash\u0022: \u0022ece7ba65a95eacee5504b4ba009cd0f9\u0022, \u0022path_pattern_hash\u0022: \u00222521db54cde5bdc17cc591777e55b15e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/logs\/debug.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.0.3\u0022, \u0022event_signature\u0022: \u0022b8acbf92f014127905b5df55d713944e708bdf0b\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.0.3) Gecko\/2008092414 Firefox\/3.0.3","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":229},{"id":8239764,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59946,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/logs\/error.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u00228b61b4276830ed7f7c0617ffeb8a8065cb2b4742\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00229d5f558e73ca716aa21e27c6081370ba7dda563b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.423672840587935, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226039055461d27828b1233a4644e22a1f4e082b49\u0022, \u0022event_fingerprint\u0022: \u002272007dc8b995f6353f46590c086c59ffa1134689\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002271e0e2d7ffc2bcd780ecfbc3a73f8ab2\u0022, \u0022payload_hash\u0022: \u002279a779c55910cde6208f6ea502e364c2\u0022, \u0022path_pattern_hash\u0022: \u002211a7dc2316512e9b8311ac327e383bb9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/logs\/error.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.\u0022, \u0022event_signature\u0022: \u002266d489056a7e65b172c538989a64005d4a7ccbaf\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":261},{"id":8239765,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59948,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":12,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/logs\/app.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u00225c3c2a2513d182b758a3764b7825bbdef04ac8ad\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022d0b8b644029ba159087a417f2e8eafdc14fc0ddb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 233, \u0022payload_entropy\u0022: 5.2795031861619535, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 56.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 56.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b84bb1dcb85ba04c86c379f8e3634f2cd85fb0d3\u0022, \u0022event_fingerprint\u0022: \u002222c315a4985a003412b496acf254e30832082825\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002279835db275171036b9aa0d507d436a82\u0022, \u0022payload_hash\u0022: \u00224b890bcc107f52de4f27a9c1f8491fda\u0022, \u0022path_pattern_hash\u0022: \u00221ee40b92eb3b65f75911cb662d7e1127\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/logs\/app.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Conf\u0022, \u0022event_signature\u0022: \u00221eb9ad5bc4267c086f6de8577ff17d32c85336c0\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"SonyEricssonK800i\/R1CB Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":233},{"id":8239766,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59950,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/log\/error.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u0022b24db827597af76ea6b779c10780ee4368984ff6\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022fc50733d76409093f90f46513edc67564b2421cb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 238, \u0022payload_entropy\u0022: 5.403687432639255, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225d1887c398c4cd2c84e90cf7413b7e5a98a708bf\u0022, \u0022event_fingerprint\u0022: \u0022d9a2d9424458cca84faa5ab02285252446a960cd\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225e3203e96f1bc67a5b39f6232a2ae0ab\u0022, \u0022payload_hash\u0022: \u0022d3a5c22f3659df5cf119fbd4cc58a68c\u0022, \u0022path_pattern_hash\u0022: \u0022a4d176701e2b21dd6deff557491aab03\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/log\/error.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, li\u0022, \u0022event_signature\u0022: \u00222e44821db05d6cfa4c40d53b04d19630578c1862\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_log\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_log\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":238},{"id":8239767,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59974,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/log\/debug.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u00228e1649067a7a53c60ebc4e206cd8bb6c620641e4\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00223fb5b472f52b8bcac2f6138463cf27ff65b8c633\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 246, \u0022payload_entropy\u0022: 5.424630505571992, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 90.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 90.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002224026e9bf08e22f7a3662b3e6ba58944783f3637\u0022, \u0022event_fingerprint\u0022: \u0022a8cc3211cc4dd929aef9f1a4166ad1fc7f6986f7\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221d46eaec8fb09d6f4a663ac325d1a764\u0022, \u0022payload_hash\u0022: \u00222ef3c1fd494dd9ab1e5f4bbfe3b8e60b\u0022, \u0022path_pattern_hash\u0022: \u00220a13815894d10bbcd047ea689c56dc08\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/log\/debug.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022event_signature\u0022: \u0022229af72d72822e63981725dd8c5e8e62eee0035a\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_log\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.99 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_log\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":246},{"id":8239768,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59964,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":12,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/logs\/application.log","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022log\u0022, \u0022http_ua_hash\u0022: \u00221b3b1ff196fc0a48441ec32d28bb0f4936e1011e\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022cdf00c17308c69bcbf2914393a08738de75ce806\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.375929617727741, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 56.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 56.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b84bb1dcb85ba04c86c379f8e3634f2cd85fb0d3\u0022, \u0022event_fingerprint\u0022: \u0022e5f6353fd8a50f2177b21ddf90c5555adef83e9e\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ac4d786cd8eb314a65a7c31c54bfebbf\u0022, \u0022payload_hash\u0022: \u0022381905fb6ef5ce4d8b692d943f1f2400\u0022, \u0022path_pattern_hash\u0022: \u002260fc95e5699c71a682d502bba60586d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/logs\/application.log HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, l\u0022, \u0022event_signature\u0022: \u002217597bb8309d0ab1f0a10192bfb037024b96c2ee\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_logs\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":260},{"id":8239769,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59982,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":21,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950522:leak-9\u0022]","http_method":"GET","http_target":"\/.htpasswd","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022htpasswd\u0022, \u0022http_ua_hash\u0022: \u0022101f08546915744f849da0d5b99ff8b8f9b8dcb5\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022ade2de8d21551efb00f221b43821b4acb26b6f79\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.418430637896458, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 100.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 100.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 65, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cc26b1acd5eda4e59249e284fccb6ee419733d77\u0022, \u0022event_fingerprint\u0022: \u00227187d2c060bf71d36b1742f73fd4cec97958ce4f\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022189c5262cf21079a4cb04660fe26305d\u0022, \u0022payload_hash\u0022: \u002286cb0124bb5511cd03b7481346c2cea6\u0022, \u0022path_pattern_hash\u0022: \u0022229c0a4c773f5f9eeec1d298c58088ee\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.htpasswd HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, \u0022, \u0022event_signature\u0022: \u0022f1d5e060c271df0d172f0179a5742dcbc68fc7f3\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950522:leak-9\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950522:leak-9\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":243},{"id":8239770,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59984,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.htaccess","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022htaccess\u0022, \u0022http_ua_hash\u0022: \u0022c70d7b3f7fb3cfd50e157d1d02d20eb8f02b0df5\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u00223450b1e7f2decdc58edd085ce04b19bc7f5d6fac\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.4791669346569085, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u0022ed5e1932581bbc96348b7b8b37c1f20112920a53\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b9495d23964a6788cb4301e56b38bd29\u0022, \u0022payload_hash\u0022: \u00226794af4b9a10c0f71726f339699cc2a1\u0022, \u0022path_pattern_hash\u0022: \u00224c27678faebafe822ea78c9ea1cb1efa\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/.htaccess HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.2; SM-T230NU Build\/KOT49H) AppleWebK\u0022, \u0022event_signature\u0022: \u0022993a4ec7d0d63e8d27bf936d08be5d546758b872\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 4.4.2; SM-T230NU Build\/KOT49H) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/51.0.2704.81 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":260},{"id":8239771,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59996,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/nginx.config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022config\u0022, \u0022http_ua_hash\u0022: \u00221f245d0d1d653feb1b66c0e27330a61199069bba\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022e275586080f0f32618bdbe0c80334164416e3043\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 255, \u0022payload_entropy\u0022: 5.428212314466037, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u00229810ead0d697582a46850e60e65d7b303d566523\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022db21fb16e11ad495c24878c8f181edd3\u0022, \u0022payload_hash\u0022: \u00225ad095c197855d865bba1bb25037fcaa\u0022, \u0022path_pattern_hash\u0022: \u002280871f7e109ea9867fd6173c2b32059b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/nginx.config HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KH\u0022, \u0022event_signature\u0022: \u0022acaf5b6411f330d378fab27de61acc2f244ae5fd\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":255},{"id":8239772,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":59988,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/web.config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022config\u0022, \u0022http_ua_hash\u0022: \u0022b1e7dd6d29e880c014bdd0f2b62522a104801cab\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022fb61e36fe9095535f127e3353d957f1c1310e8e9\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 240, \u0022payload_entropy\u0022: 5.413410117119781, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u002287e21bae1dbf4cb0f1137e0832a091c89711477a\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002294095ff7e391a8e3a58b49f3a1340809\u0022, \u0022payload_hash\u0022: \u0022fe4409b2e75fd5fed52cd9793e253b8e\u0022, \u0022path_pattern_hash\u0022: \u00220913647d7e838cdd727ceda37a671f37\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/web.config HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022event_signature\u0022: \u0022d5973dd66d9c8af7c3794c57684c04dbb3d5207c\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":240},{"id":8239773,"ip":"34.80.146.76","ts":"2026-06-04 16:13:00.000000","proto":"tcp","src_port":60004,"dst_port":8445,"service":"http","classification":"web_attack","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/nginx.conf","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022conf\u0022, \u0022http_ua_hash\u0022: \u002295d63f6129759fbfd7715126f77f2d0f6a99428e\u0022, \u0022http_host_hash\u0022: \u0022cb02367c77f38075a2cc9013ee32fc8b1cbdd795\u0022, \u0022http_target_hash\u0022: \u0022845c3b2b5656c277525928bf4edf7c41919ad7fa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 246, \u0022payload_entropy\u0022: 5.410342326185944, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 8445, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0f244479aa9cd802d5f39ccef48d7319a47eb61\u0022, \u0022event_fingerprint\u0022: \u0022d66cbdd83c1d61593d1dc39f57df062b2d0289fa\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002216f8c6ef3fdeee63db1a03394fea0ccb\u0022, \u0022payload_hash\u0022: \u0022d3dff44c65b0dc67b92051cd93f4b75a\u0022, \u0022path_pattern_hash\u0022: \u002280f5fa98cca489e2cf5aa551565e088f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8445, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.89, \u0022classification_confidence\u0022: 0.89, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/nginx.conf HTTP\/1.1\\r\\nHost: 62.3.50.33:8445\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHT\u0022, \u0022event_signature\u0022: \u002287da6300bd75cf603224a87a788bb7de1978336d\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8445","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":246}],"total_events":766}