{"ip":"34.95.202.70","exported_at":"2026-06-19T22:44:41+00:00","period_days":7,"metrics":{"events7d":332,"distinct_ports":1,"distinct_classifications":6,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":43,"max_risk_score":69,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["path_traversal","config_leak_scan"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":40,"protocol":43,"novelty":25},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"T1083","top_mitre_technique":"TA0007","top_mitre_count":166,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)","campaign_hint_fr":null,"confidence_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":40,"protocol":43,"novelty":25,"risk_score":68,"correlation_boost":8},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["multi_protocol_correlation"],"correlation_flags_labels_fr":["Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":100,"confidence_hint_fr":"Corr\u00e9lation +8","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["SIGMA-web-config-leak","Http Sensitive","Upstream","Waf Score"],"tags_summary":["SIGMA-web-config-leak","INT-http_sensitive","INT-upstream","INT-waf-score"],"attack_vector":"config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sendgrid\/.env.prod","protocol_details":{"http_method":"GET","http_path":"\/sendgrid\/.env.prod","request_line":"GET \/sendgrid\/.env.prod HTTP\/1.1","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; EML-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36","port":6000,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/sendgrid\/.env.prod \u00b7 UA Mozilla\/5.0 (Linux; Android 9; EML-L09) AppleWe\u2026 \u00b7 HTTP:6000","evidence_snippet":"GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:6000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; EML-L09) AppleWebKit\/537.36","target_port_label":"6000 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF","classification_reason":"Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","classification_reason_label_fr":"Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF","payload_preview":"GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:6000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; EML-L09) AppleWebKit\/537.36"},"events":[{"id":8910613,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40238,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/admin\/.env.production","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022production\u0022, \u0022http_ua_hash\u0022: \u002262ac45c41cf6caf6d57eb7fee8525038d771ec6e\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00226afcf6a74c4f4ca0deffd4538e4bee0be1658fdc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 274, \u0022payload_entropy\u0022: 5.352298480450322, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e25c25fd269ad7978f308440e4906e3b49c09af9\u0022, \u0022event_fingerprint\u0022: \u002200b77ad65eaab73fc617dffd2c38ebb4fa99e26f\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Magento admin\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d6f7fce236f2bbc34b4db48e43aa971e\u0022, \u0022payload_hash\u0022: \u00222e17cca1da13ebe457c24e4002f67729\u0022, \u0022path_pattern_hash\u0022: \u00222436e3a9cfeb9e9b135c78544dba7eee\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/admin\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) App\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/.env.production\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/admin\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nCon\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) App\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/.env.production\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/admin\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nCon\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) App\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022902203cd7733546bb611972a0f9e7c31f4e16123\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/.env.production\u0022, \u0022request_line\u0022: \u0022GET \/admin\/.env.production HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/admin\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) App\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/.env.production\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/.env.production\u0022, \u0022request_line\u0022: \u0022GET \/admin\/.env.production HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/.env.production\u0022, \u0022evidence_snippet\u0022: \u0022GET \/admin\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) App\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":274},{"id":8910614,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40228,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/private\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u002264a327cf48adaea4eba4fb6a97f4e5e5d16c3d84\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u002242ecb4d5f4be7b556e157ee15a288da92dfb0e45\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 249, \u0022payload_entropy\u0022: 5.3924825223489625, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002229b45f52831fa1e5690f0b4a0549cf8ccf71fc0f\u0022, \u0022event_fingerprint\u0022: \u002281ab23e56478b71004b1644cebee1bdec3733207\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022508d1061f77f6b94259663e34afad01e\u0022, \u0022payload_hash\u0022: \u002270c4d0ccddf7b6b8851ce9bce95878ba\u0022, \u0022path_pattern_hash\u0022: \u0022467844c5e65593cac952660a5e740364\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/private\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, l\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/private\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/private\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/private\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/private\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, l\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/private\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/private\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/private\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/private\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, l\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002271d348a62b39040d2b294dd6a628b4d48fd1deca\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/private\/.env\u0022, \u0022request_line\u0022: \u0022GET \/private\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/private\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, l\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/private\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/private\/.env\u0022, \u0022request_line\u0022: \u0022GET \/private\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/private\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/private\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, l\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_private\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_private\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":249},{"id":8910615,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40372,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/var\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00221ec76de79048327f0e5c528a16069d0d17549e57\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00227f1fb2a1c5b72e520b988cd8c8a970a6662732b5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 253, \u0022payload_entropy\u0022: 5.400509087595423, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u002235fa51527c169d0b5e16def164cea5e1861707af\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00227a9f67fec24c4f845c587df0ff337b33\u0022, \u0022payload_hash\u0022: \u00221ad0cbed6814ba6d48bb8f5c79373a69\u0022, \u0022path_pattern_hash\u0022: \u00220d0f9087dce4407a1a8d5052b0a9d1bf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/var\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTM\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/var\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/var\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/var\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/var\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTM\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/var\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/var\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/var\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/var\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTM\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c80b683b2faf9dfc0a1748249de70d08eb9902e4\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/var\/.env\u0022, \u0022request_line\u0022: \u0022GET \/var\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/var\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTM\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/var\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/var\/.env\u0022, \u0022request_line\u0022: \u0022GET \/var\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/var\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/var\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTM\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.1.0; Nexus 6P) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":253},{"id":8910616,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40380,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/symfony\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00222bdf8f3e4bf27e51cf6ef11d993a597699a41278\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022581b418411856b2c342ec9927095e7782e5723ff\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 197, \u0022payload_entropy\u0022: 5.299528939865756, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc83b3e8a0c0f66ab5699ac1ad40677883f0c12e\u0022, \u0022event_fingerprint\u0022: \u0022fa048facc6f7088e5258b622c5465df6870e5f4a\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002223bebb76be935fbc6f2a84e7c421bd5f\u0022, \u0022payload_hash\u0022: \u002297709e59544aa122ad5270ee5f6e991c\u0022, \u0022path_pattern_hash\u0022: \u002276c104a7314c285b1e250aee04e5396e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/symfony\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/symfony\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/symfony\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/symfony\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/symfony\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/symfony\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/symfony\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/symfony\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/symfony\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002276f643b4585f9fee7175d59cd8c900bcdda3d995\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/symfony\/.env\u0022, \u0022request_line\u0022: \u0022GET \/symfony\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/symfony\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/symfony\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/symfony\/.env\u0022, \u0022request_line\u0022: \u0022GET \/symfony\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/symfony\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/symfony\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":197},{"id":8910617,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40358,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/deploy\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00222e3cc49aa372909acec1e031455be5bed24b58b5\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u002288f51b1ca7bef99bb6c035fd80f97ade7f3602a8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 274, \u0022payload_entropy\u0022: 5.4122330623466155, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u00220dedbbe4867b6122bd89bd35b61721118af77fd9\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0324\u0022], \u0022matched_pattern_names\u0022: [\u0022SSRF Any-address SSRF\u0022], \u0022pattern_ids\u0022: [\u0022pat-0324\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e42d4414779ebf0d31a30f4511925be5\u0022, \u0022payload_hash\u0022: \u0022bcbdf7d07da12004fb5e903461c5f605\u0022, \u0022path_pattern_hash\u0022: \u0022cf92621b9e3f2982786aa63fff3e305e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/deploy\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4; Nexus 5 Build\/BuildID) AppleWebKi\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/deploy\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4; Nexus 5 Build\/BuildID) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/30.0.0.0 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/deploy\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/deploy\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4; Nexus 5 Build\/BuildID) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/30.0.0.0 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nCon\u0022, \u0022payload_snippet\u0022: \u0022GET \/deploy\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4; Nexus 5 Build\/BuildID) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/deploy\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4; Nexus 5 Build\/BuildID) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/30.0.0.0 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/deploy\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/deploy\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4; Nexus 5 Build\/BuildID) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/30.0.0.0 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nCon\u0022, \u0022payload_snippet\u0022: \u0022GET \/deploy\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4; Nexus 5 Build\/BuildID) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002237d08c0345ca4a5eb1d132cff215983e5c3035dc\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/deploy\/.env\u0022, \u0022request_line\u0022: \u0022GET \/deploy\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4; Nexus 5 Build\/BuildID) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/30.0.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/deploy\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4; Nexus 5 Build\/BuildID) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/deploy\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/deploy\/.env\u0022, \u0022request_line\u0022: \u0022GET \/deploy\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4; Nexus 5 Build\/BuildID) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/30.0.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/deploy\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/deploy\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4; Nexus 5 Build\/BuildID) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Linux; Android 4.4; Nexus 5 Build\/BuildID) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/30.0.0.0 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":274},{"id":8910618,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40288,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/packages\/api\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00221e62b8de0a048d51eb2bcb4b1725402f99d7922e\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022fd8fe30f25c6601a86628e4b53931f0feb977f1a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 253, \u0022payload_entropy\u0022: 5.351219438082156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u002240104501a4e27bc485b26b95989736ec58882525\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022fb5e35146ac47aeda49a47d2803f65a3\u0022, \u0022payload_hash\u0022: \u00221d365ba27578bdc308914b7b59be9fc9\u0022, \u0022path_pattern_hash\u0022: \u0022226ad246bf9a22935f1389885ad08c73\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/packages\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/5\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/packages\/api\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.78.1 (KHTML like Gecko) Version\/7.0.6 Safari\/537.78.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/packages\/api\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/packages\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.78.1 (KHTML like Gecko) Version\/7.0.6 Safari\/537.78.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/packages\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/5\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/packages\/api\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.78.1 (KHTML like Gecko) Version\/7.0.6 Safari\/537.78.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/packages\/api\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/packages\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.78.1 (KHTML like Gecko) Version\/7.0.6 Safari\/537.78.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/packages\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/5\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022091895edf6b0edc1c9556ea3033bb965a1972a69\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/packages\/api\/.env\u0022, \u0022request_line\u0022: \u0022GET \/packages\/api\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.78.1 (KHTML like Gecko) Version\/7.0.6 Safari\/537.78.1\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/packages\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/5\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/packages\/api\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/packages\/api\/.env\u0022, \u0022request_line\u0022: \u0022GET \/packages\/api\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.78.1 (KHTML like Gecko) Version\/7.0.6 Safari\/537.78.1\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/packages\/api\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/packages\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/5\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/537.78.1 (KHTML like Gecko) Version\/7.0.6 Safari\/537.78.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":253},{"id":8910619,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40354,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/dist\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022aafc9c24701a2406e835625180be116a92757f2c\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u002281857e1267b33a1f581fba5ddd161461d38f8919\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 257, \u0022payload_entropy\u0022: 5.410204781053734, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022883aa517a04450445cb7b71849e5077714a4aff3\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226b75aa9d29f220e9bce8089cb60461c5\u0022, \u0022payload_hash\u0022: \u0022e358f575ec57dbc65b9073541a796130\u0022, \u0022path_pattern_hash\u0022: \u002266871996c0444a7924edba6da98b9137\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/dist\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dist\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/dist\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dist\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/dist\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dist\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/dist\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dist\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/dist\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225a264b9ed42452419c6ab0494bd18f4aa6573e31\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dist\/.env\u0022, \u0022request_line\u0022: \u0022GET \/dist\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safa\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/dist\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/dist\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dist\/.env\u0022, \u0022request_line\u0022: \u0022GET \/dist\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safa\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/dist\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/dist\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Linux; Android 7.0; Alcatel_5044R) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":257},{"id":8910620,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40298,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/docker\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00225014d4114c4cbabd19d9fd2da5d287ad27a6f544\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00229af4b895c55b82b27b0181f549c7f29671f851e7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.42586362430017, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022307aa802ff58decc9f0a5d73a1cbcb441d5f2672\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b0ae87eff6920e57eb3c45e71d20538f\u0022, \u0022payload_hash\u0022: \u0022574ad4684e4b2e0857de60878e413b42\u0022, \u0022path_pattern_hash\u0022: \u0022d8c5fc01c634b7a145b1071dcf26d56b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/docker\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/docker\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/docker\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/docker\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/docker\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/docker\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/docker\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/docker\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/docker\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022be6888eeadef7d877f59ad4cea8b6833aff6024e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/docker\/.env\u0022, \u0022request_line\u0022: \u0022GET \/docker\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/docker\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/docker\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/docker\/.env\u0022, \u0022request_line\u0022: \u0022GET \/docker\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/docker\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/docker\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":252},{"id":8910621,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40346,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/release\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u002201d5fbf93a54fabb8ab22591bb3459434f9dab9f\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00223f4c975c51cd1d3df84592564ed06afe4e782992\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 218, \u0022payload_entropy\u0022: 5.260135119035212, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u00220acfb83944438405cc1ef57ce7219d5aacf38b0a\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002292fb9085c955383e740262552eee1da9\u0022, \u0022payload_hash\u0022: \u0022dbede152b55b989afafe07209ce30ab2\u0022, \u0022path_pattern_hash\u0022: \u002293883cb09f4769a367badfafc907183e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/release\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/release\/.env\u0022, \u0022user_agent\u0022: \u0022Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/release\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/release\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/release\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/release\/.env\u0022, \u0022user_agent\u0022: \u0022Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/release\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/release\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/release\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229cf89235699bd6faa0e101bb318233cb8e143c0e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/release\/.env\u0022, \u0022request_line\u0022: \u0022GET \/release\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/release\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/release\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/release\/.env\u0022, \u0022request_line\u0022: \u0022GET \/release\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/release\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/release\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":218},{"id":8910622,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40334,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/htdocs\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00228e592f6d195654b25f2887f372f19885a896c5f2\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00228f48488caec0125a8a05acdcda0c91818dd79982\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.39227798744573, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022f0746c8c4f0da8a005ed78e3780319ed44f475ac\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002204bbf91f2f08f7f3f3865b9e75774fd0\u0022, \u0022payload_hash\u0022: \u0022f6b83f52625337d394efc169d52a9e94\u0022, \u0022path_pattern_hash\u0022: \u002243bb577a72550f9d83432629be23ae6a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/htdocs\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/htdocs\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/htdocs\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/htdocs\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/htdocs\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/htdocs\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/htdocs\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/htdocs\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/htdocs\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224479891b98b3a415a66ac496afa1878c161e6650\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/htdocs\/.env\u0022, \u0022request_line\u0022: \u0022GET \/htdocs\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/htdocs\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/htdocs\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/htdocs\/.env\u0022, \u0022request_line\u0022: \u0022GET \/htdocs\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/htdocs\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/htdocs\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":252},{"id":8910623,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40318,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/conf\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022363e1ebf472037cb84ba27232093f374e269420a\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u002270dc78a46c5fc5ec9a60262c10608bb7fd4c1db2\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 250, \u0022payload_entropy\u0022: 5.370529611758949, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022e2893eb47012104302e83f8786bf7ae38ffc9874\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002299cfea7588f08f054926334ea17308c1\u0022, \u0022payload_hash\u0022: \u00224a35b7d1862966d3fcef125f1bb3d7ff\u0022, \u0022path_pattern_hash\u0022: \u0022f6629ed9025fbf6cf9edb98b9f1072f5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/conf\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/conf\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/conf\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/conf\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/conf\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/conf\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/conf\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/conf\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/conf\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002207084a9faf4a82cd9ef970248866df3a58bf66b6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/conf\/.env\u0022, \u0022request_line\u0022: \u0022GET \/conf\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/conf\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/conf\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/conf\/.env\u0022, \u0022request_line\u0022: \u0022GET \/conf\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/conf\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/conf\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":250},{"id":8910624,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40222,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/internal\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022fbfeb061a17a67387fddf78e72d6aecd0ca45bb9\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022bbff311646149e77bbf27c4899ac7dbcb7bb94dc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 218, \u0022payload_entropy\u0022: 5.274397606463777, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022220e6c4edd69ed807c28e49a3784f9842d380373\u0022, \u0022event_fingerprint\u0022: \u0022bb6a667ba3bcd3d4ca65d15ad3b7fdb668a13b0c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226bf7c869476b4b782705baafb658da2d\u0022, \u0022payload_hash\u0022: \u0022c4e417a31f20dbc706e1fa6b00c3096d\u0022, \u0022path_pattern_hash\u0022: \u0022929e3be7d81c0f83bf54b6e32e9b030d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/internal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/internal\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/internal\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/internal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/internal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/internal\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/internal\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/internal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/internal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002296127decf5076a71602535e640d5995f5fc275c1\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/internal\/.env\u0022, \u0022request_line\u0022: \u0022GET \/internal\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/internal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/internal\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/internal\/.env\u0022, \u0022request_line\u0022: \u0022GET \/internal\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/internal\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/internal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_internal\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0 SeaMonkey\/2.42.9esr","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_internal\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":218},{"id":8910625,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40306,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":20,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/config\/.env.local","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022local\u0022, \u0022http_ua_hash\u0022: \u002279fcf70203b529772ca6088bc07c51a2a51bfd2e\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00228315d690f50358ceea64bc0cb23314dd9bf855ed\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 238, \u0022payload_entropy\u0022: 5.361675594765839, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 88.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002216127feda4805e38e9aff4c041c5fe012acb0c70\u0022, \u0022event_fingerprint\u0022: \u00228709781f02360f48d7189dba7dc112d5c89db3b6\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002297e0dfaa21a6dc89a019c31181340a71\u0022, \u0022payload_hash\u0022: \u00227bff3d0b6abcc65688ed2ff8d06c482c\u0022, \u0022path_pattern_hash\u0022: \u0022826e0f7bf5d8c36c7953b7184edfe839\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022payload_preview\u0022: \u0022GET \/config\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0) AppleWebKit\/537.36 (KHTML, like\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/config\/.env.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.93 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/config\/.env.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.93 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0) AppleWebKit\/537.36 (KHTML, like\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/config\/.env.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.93 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/config\/.env.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.93 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0) AppleWebKit\/537.36 (KHTML, like\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a50e0c48c0162e40e1ea57fb5f2e5018c70f6983\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/config\/.env.local\u0022, \u0022request_line\u0022: \u0022GET \/config\/.env.local HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.93 Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0) AppleWebKit\/537.36 (KHTML, like\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/config\/.env.local\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/config\/.env.local\u0022, \u0022request_line\u0022: \u0022GET \/config\/.env.local HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.93 Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/config\/.env.local\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.0) AppleWebKit\/537.36 (KHTML, like\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_config\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Windows NT 6.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/45.0.2454.93 Safari\/537.36","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_config\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":238},{"id":8910626,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40270,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/admin\/.env.local","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022local\u0022, \u0022http_ua_hash\u0022: \u00223f65b3e22cbcd747c1962c895d2eb335ba158a2a\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00225104f09772fa402efdc8eb0bc2114ecf6407730d\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 309, \u0022payload_entropy\u0022: 5.445306464185668, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228249f6ae3cedd5d898dcb6ebde9134c4b8dc6fc6\u0022, \u0022event_fingerprint\u0022: \u002294fb38fabbe388595f5590d57bbdcbf21065f67e\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Magento admin\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002241065961a14a6787e0d02021c583f954\u0022, \u0022payload_hash\u0022: \u002204edb06f75e7641b7eb2433920bbc237\u0022, \u0022path_pattern_hash\u0022: \u00228b44c48d7af23ff178b0954ed1a8265f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/admin\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 NokiaE90-1\/07.24.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/.env.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 NokiaE90-1\/07.24.0.3; Profile\/MIDP-2.0 Configuration\/CLDC-1.1 ) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 UP.Link\/6.2.3.18.0\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/admin\/.env.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 NokiaE90-1\/07.24.0.3; Profile\/MIDP-2.0 Configuration\/CLDC-1.1 ) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 UP.Link\/6.2.3.18.0\\r\\nAccept-Charset\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 NokiaE90-1\/07.24.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/.env.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 NokiaE90-1\/07.24.0.3; Profile\/MIDP-2.0 Configuration\/CLDC-1.1 ) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 UP.Link\/6.2.3.18.0\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/admin\/.env.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 NokiaE90-1\/07.24.0.3; Profile\/MIDP-2.0 Configuration\/CLDC-1.1 ) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 UP.Link\/6.2.3.18.0\\r\\nAccept-Charset\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 NokiaE90-1\/07.24.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022efa4affa360b6041ef7ada278a440a35c65f37fd\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/.env.local\u0022, \u0022request_line\u0022: \u0022GET \/admin\/.env.local HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 NokiaE90-1\/07.24.0.3; Profile\/MIDP-2.0 Configuration\/CLDC-1.1 ) AppleWebKit\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/admin\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 NokiaE90-1\/07.24.\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/.env.local\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/.env.local\u0022, \u0022request_line\u0022: \u0022GET \/admin\/.env.local HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 NokiaE90-1\/07.24.0.3; Profile\/MIDP-2.0 Configuration\/CLDC-1.1 ) AppleWebKit\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/.env.local\u0022, \u0022evidence_snippet\u0022: \u0022GET \/admin\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 NokiaE90-1\/07.24.\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 NokiaE90-1\/07.24.0.3; Profile\/MIDP-2.0 Configuration\/CLDC-1.1 ) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 UP.Link\/6.2.3.18.0","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":309},{"id":8910627,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40258,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/admin\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022b7f82af2dee1c9b678fa2b4e317b8fb4968bf961\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00229bae73d08848be44521e9c4d49360c6e081f0fff\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 263, \u0022payload_entropy\u0022: 5.470342457125029, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e25c25fd269ad7978f308440e4906e3b49c09af9\u0022, \u0022event_fingerprint\u0022: \u0022815d67c256677e3c332b17e968bc132efe1f296c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Magento admin\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225914767f04910c71cb516b1f5e0918e9\u0022, \u0022payload_hash\u0022: \u0022619606d6f4dd2c3e0f137d7e4fd8d421\u0022, \u0022path_pattern_hash\u0022: \u002236de7f489df887c3e31f5a951469f711\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/admin\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/69.0.3497.81 Chrome\/69.0.3497.81 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/admin\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/69.0.3497.81 Chrome\/69.0.3497.81 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: cl\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/69.0.3497.81 Chrome\/69.0.3497.81 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/admin\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/69.0.3497.81 Chrome\/69.0.3497.81 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: cl\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bf9552caf6309745cf8230b2bea7dd17fbaae221\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/.env\u0022, \u0022request_line\u0022: \u0022GET \/admin\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/69.0.3497.81 Chrome\/69.0.3497.81\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/admin\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/.env\u0022, \u0022request_line\u0022: \u0022GET \/admin\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/69.0.3497.81 Chrome\/69.0.3497.81\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/admin\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/69.0.3497.81 Chrome\/69.0.3497.81 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":263},{"id":8910628,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40212,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/service\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022b1108440c2204cb493187937aef99469ef730af0\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00229afb54f0e738d3d8aa1fcfb80bab77080f7f6fdc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 203, \u0022payload_entropy\u0022: 5.199669817615971, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc83b3e8a0c0f66ab5699ac1ad40677883f0c12e\u0022, \u0022event_fingerprint\u0022: \u0022d37732170731663b0648c1a46da9563c0ad11b44\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220960ee8587c1338e669b0e854098c420\u0022, \u0022payload_hash\u0022: \u0022355f59899a041c2d8cdd3eba092a3525\u0022, \u0022path_pattern_hash\u0022: \u0022d9b00f587478dec270837253c672f652\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/service\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20100101 Firefox\/1\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/service\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20100101 Firefox\/10.0.12\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/service\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/service\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20100101 Firefox\/10.0.12\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/service\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20100101 Firefox\/1\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/service\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20100101 Firefox\/10.0.12\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/service\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/service\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20100101 Firefox\/10.0.12\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/service\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20100101 Firefox\/1\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002226355535710274b3dd11bf0e5d2f9baef9874abf\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/service\/.env\u0022, \u0022request_line\u0022: \u0022GET \/service\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20100101 Firefox\/10.0.12\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/service\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20100101 Firefox\/1\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/service\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/service\/.env\u0022, \u0022request_line\u0022: \u0022GET \/service\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20100101 Firefox\/10.0.12\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/service\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/service\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20100101 Firefox\/1\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (OS\/2; Warp 4.5; rv:10.0.12) Gecko\/20100101 Firefox\/10.0.12","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":203},{"id":8910629,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40244,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/config\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u002214628cd4a4abd0e3e10c609d18773a8555cc5390\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022867074af7203ec5cf6b039823237b28edf1066aa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.399443917971945, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227153aae7eef41add9af40a2b5e51a8c1090fdb3e\u0022, \u0022event_fingerprint\u0022: \u0022d0c00a6cedc8aef6f4d4cc66db920ec47b227540\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022dbb58d3bccfa92958e04f2c811e70647\u0022, \u0022payload_hash\u0022: \u0022fb1748f331292c28069fe17270fcc539\u0022, \u0022path_pattern_hash\u0022: \u00222aaa158af561315bc9004215c1f06852\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/config\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/config\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/config\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/config\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/config\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e88887e47dc5e5e56a8ecb8fa7b60d479e7baea4\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/config\/.env\u0022, \u0022request_line\u0022: \u0022GET \/config\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/config\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/config\/.env\u0022, \u0022request_line\u0022: \u0022GET \/config\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/config\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_config\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_config\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":252},{"id":8910630,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40210,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/internal\/.env.production","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022production\u0022, \u0022http_ua_hash\u0022: \u002258f598e3ce3a37b4555ba18449264b529a288695\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022d290e289983be8731f71ebf018001c11bad4ee88\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 264, \u0022payload_entropy\u0022: 5.365964093129136, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f8501d6069653a77b6f29914c146cab8038319ea\u0022, \u0022event_fingerprint\u0022: \u0022ea26d8e138b0bcadda968204ca1bd998a9642ed1\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221e5d554e861ea40a0dd75157d9ba835f\u0022, \u0022payload_hash\u0022: \u00227bc735dacb44e81b54b8a8e2a435da12\u0022, \u0022path_pattern_hash\u0022: \u002282c27c01e593b4c327a9fce0421e0d53\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/internal\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) Apple\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/internal\/.env.production\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/internal\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/internal\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: c\u0022, \u0022payload_snippet\u0022: \u0022GET \/internal\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) Apple\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/internal\/.env.production\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/internal\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/internal\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: c\u0022, \u0022payload_snippet\u0022: \u0022GET \/internal\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) Apple\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228f4e18e64cf803e5557266031cee67d2c06b4027\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/internal\/.env.production\u0022, \u0022request_line\u0022: \u0022GET \/internal\/.env.production HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/internal\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) Apple\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/internal\/.env.production\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/internal\/.env.production\u0022, \u0022request_line\u0022: \u0022GET \/internal\/.env.production HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/internal\/.env.production\u0022, \u0022evidence_snippet\u0022: \u0022GET \/internal\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) Apple\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_internal\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_internal\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":264},{"id":8910631,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40280,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/admin\/api\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00220b853abfd178b58867cc526e4078af8402445b0d\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022457eece9ef431f7c5ef47fc5eabd74481382950d\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 240, \u0022payload_entropy\u0022: 5.376300050160618, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e25c25fd269ad7978f308440e4906e3b49c09af9\u0022, \u0022event_fingerprint\u0022: \u002210309057765fded7eb533269666054de3448ae1a\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Magento admin\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c2c8d62d472f0af997f91967557f7f42\u0022, \u0022payload_hash\u0022: \u0022444d54edcd0fbd2ee82dec80fd009ec5\u0022, \u0022path_pattern_hash\u0022: \u0022eb0b318a7b8e99b7782318c2869ecac1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/admin\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko\/20\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/api\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko\/20080207 Ubuntu\/7.10 (gutsy) Firefox\/2.0.0.12\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/admin\/api\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko\/20080207 Ubuntu\/7.10 (gutsy) Firefox\/2.0.0.12\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko\/20\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/api\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko\/20080207 Ubuntu\/7.10 (gutsy) Firefox\/2.0.0.12\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/admin\/api\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko\/20080207 Ubuntu\/7.10 (gutsy) Firefox\/2.0.0.12\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko\/20\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220510b8ba46380d44dc865ac730e1b8e9b0d6f499\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/api\/.env\u0022, \u0022request_line\u0022: \u0022GET \/admin\/api\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko\/20080207 Ubuntu\/7.10 (gutsy) Firefox\/2.0.0.12\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/admin\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko\/20\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/api\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/api\/.env\u0022, \u0022request_line\u0022: \u0022GET \/admin\/api\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko\/20080207 Ubuntu\/7.10 (gutsy) Firefox\/2.0.0.12\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/api\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/admin\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko\/20\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (X11; U; Linux x86_64; sv-SE; rv:1.8.1.12) Gecko\/20080207 Ubuntu\/7.10 (gutsy) Firefox\/2.0.0.12","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":240},{"id":8910632,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40256,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/admin\/.env.backup","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022backup\u0022, \u0022http_ua_hash\u0022: \u0022ccfb65e77a5b2a1e634e3cbb5a4ceb05c982ed2c\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u002232e03e003a51f542f710beeac8e15f008c3f65ad\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 218, \u0022payload_entropy\u0022: 5.322571488271275, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e25c25fd269ad7978f308440e4906e3b49c09af9\u0022, \u0022event_fingerprint\u0022: \u00226ef97a96736828e248b0e642bc40e96c7903fe89\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Magento admin\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022eb5bc121522483510e44b31021acc4b2\u0022, \u0022payload_hash\u0022: \u00225d83c6734fd67750f828f04056fda1f1\u0022, \u0022path_pattern_hash\u0022: \u00229967aebe85bc5150552d43732fce77c0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/admin\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/.env.backup\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/admin\/.env.backup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/.env.backup\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/admin\/.env.backup HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a44457d2f528477bbcd2a22475f5689a4df2b529\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/.env.backup\u0022, \u0022request_line\u0022: \u0022GET \/admin\/.env.backup HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/admin\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/.env.backup\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/.env.backup\u0022, \u0022request_line\u0022: \u0022GET \/admin\/.env.backup HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/.env.backup\u0022, \u0022evidence_snippet\u0022: \u0022GET \/admin\/.env.backup HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":218},{"id":8910633,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40206,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":20,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/private\/.env.production","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022production\u0022, \u0022http_ua_hash\u0022: \u0022fa624d6a74e6815019d1233ee149beabec7a7fb1\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022733a894b07d9b79b5b4ab7169336337873d659bc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 5.2321447754090435, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 88.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d99710a8ee180d9c4276ceb8e3df831ec507f551\u0022, \u0022event_fingerprint\u0022: \u002254090d51fb38bbd0fdafe7bd663d534989c4928d\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022dc0e48bfd7e1775f9fe72e23dd090d93\u0022, \u0022payload_hash\u0022: \u0022dbb4c0f0ee68ceaf1fc47b19e84976e0\u0022, \u0022path_pattern_hash\u0022: \u0022d172a4f1c2b0f77cc0bf21a5051067d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022payload_preview\u0022: \u0022GET \/private\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Jigsaw\/2.2.5 W3C_CSS_Validator_JFouffa\/2.0\\r\\nAccept-Cha\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/private\/.env.production\u0022, \u0022user_agent\u0022: \u0022Jigsaw\/2.2.5 W3C_CSS_Validator_JFouffa\/2.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/private\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/private\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Jigsaw\/2.2.5 W3C_CSS_Validator_JFouffa\/2.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/private\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Jigsaw\/2.2.5 W3C_CSS_Validator_JFouffa\/2.0\\r\\nAccept-Cha\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/private\/.env.production\u0022, \u0022user_agent\u0022: \u0022Jigsaw\/2.2.5 W3C_CSS_Validator_JFouffa\/2.0\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/private\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/private\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Jigsaw\/2.2.5 W3C_CSS_Validator_JFouffa\/2.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/private\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Jigsaw\/2.2.5 W3C_CSS_Validator_JFouffa\/2.0\\r\\nAccept-Cha\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bd11375b64121b2620863062aa4e245e74c58626\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/private\/.env.production\u0022, \u0022request_line\u0022: \u0022GET \/private\/.env.production HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Jigsaw\/2.2.5 W3C_CSS_Validator_JFouffa\/2.0\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/private\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Jigsaw\/2.2.5 W3C_CSS_Validator_JFouffa\/2.0\\r\\nAccept-Cha\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/private\/.env.production\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/private\/.env.production\u0022, \u0022request_line\u0022: \u0022GET \/private\/.env.production HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Jigsaw\/2.2.5 W3C_CSS_Validator_JFouffa\/2.0\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/private\/.env.production\u0022, \u0022evidence_snippet\u0022: \u0022GET \/private\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Jigsaw\/2.2.5 W3C_CSS_Validator_JFouffa\/2.0\\r\\nAccept-Cha\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_private\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Jigsaw\/2.2.5 W3C_CSS_Validator_JFouffa\/2.0","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_private\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":8910634,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40394,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/tmp\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00221d272fbe143f2a4115f67b474937c06356908b2c\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022606cb8ac14dde0b6a700154242812cc24d72a39a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 249, \u0022payload_entropy\u0022: 5.383115702929607, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022b0b5eedb5cd34decf5f2cfb46c00db52818ae28a\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b7328aaa30e34f28893220be545ec39b\u0022, \u0022payload_hash\u0022: \u002299e40df592dc52d7e8d29ec04ac456df\u0022, \u0022path_pattern_hash\u0022: \u00224238aa7c586fdde889d3bc23ec72292d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/tmp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (K\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/tmp\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/tmp\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/tmp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/tmp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (K\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/tmp\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/tmp\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/tmp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/tmp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (K\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d508f977db4d8d1ebfe314e519fbb47b72f846b2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/tmp\/.env\u0022, \u0022request_line\u0022: \u0022GET \/tmp\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/tmp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (K\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmp\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/tmp\/.env\u0022, \u0022request_line\u0022: \u0022GET \/tmp\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/tmp\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/tmp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (K\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":249},{"id":8910635,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40410,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/html\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u002289ad0029b2143d93cc8b33793d4548b188b94014\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022d88de32bc9acf1646f12af79ae4f4e612885da98\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.406486408192901, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022a159525e95e5a438f04655180fa9ae127ec144ab\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223cb77f1b08fff0e3aa55b35e3dcb3934\u0022, \u0022payload_hash\u0022: \u0022b0d317ffc9e979566b6b956558428434\u0022, \u0022path_pattern_hash\u0022: \u0022b731774ad9ccb17484242cab8412851e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/html\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/html\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/html\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/html\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/html\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/html\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/html\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/html\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/html\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225d3d157fd902dc80d3fa54bcc4042e86489b62fc\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/html\/.env\u0022, \u0022request_line\u0022: \u0022GET \/html\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/html\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/html\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/html\/.env\u0022, \u0022request_line\u0022: \u0022GET \/html\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/html\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/html\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":243},{"id":8910636,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40466,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/apps\/api\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022252b93efa155a5637c584f729eef797ba6dba612\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022e63b41d5687406ee7f40926b7271357b1c46aaae\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.385361979610675, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022919283d851396e274c373a1c3ea5aa573a3b71b0\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221e6b2a724d1ae943a7a06e4531665258\u0022, \u0022payload_hash\u0022: \u00229abf843fb865bbf441936ea29b606aa3\u0022, \u0022path_pattern_hash\u0022: \u0022ab70800db05dbfe0190629bc711f2fa2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/apps\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/apps\/api\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/apps\/api\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/apps\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/apps\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/apps\/api\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/apps\/api\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/apps\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/apps\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223393584d3d1c7fe258a3029f037081cb67123e12\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/apps\/api\/.env\u0022, \u0022request_line\u0022: \u0022GET \/apps\/api\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/apps\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apps\/api\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/apps\/api\/.env\u0022, \u0022request_line\u0022: \u0022GET \/apps\/api\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apps\/api\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/apps\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3440.106 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":247},{"id":8910637,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40434,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/build\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00221e29739366551c87224a961fdd172a2df59683fc\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00222d5b68c8e6ed1e8f4f16e52e678eb8949566126b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 315, \u0022payload_entropy\u0022: 5.4614570813794, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u00222d925cdb7de412f7e628ea8e23422e1de2cfa524\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f60ffe518114f15f2a3ce8ee0e98ab79\u0022, \u0022payload_hash\u0022: \u0022e043d0134395874f67d2cb1e2263003d\u0022, \u0022path_pattern_hash\u0022: \u00229c0720be539cb7af2988746580f75126\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/build\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 6.0; en-US; Redmi Note 4 Build\/MRA58\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/build\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 6.0; en-US; Redmi Note 4 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/build\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/build\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 6.0; en-US; Redmi Note 4 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/537.36\\r\\nAccept-C\u0022, \u0022payload_snippet\u0022: \u0022GET \/build\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 6.0; en-US; Redmi Note 4 Build\/MRA58\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/build\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 6.0; en-US; Redmi Note 4 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/build\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/build\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 6.0; en-US; Redmi Note 4 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/537.36\\r\\nAccept-C\u0022, \u0022payload_snippet\u0022: \u0022GET \/build\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 6.0; en-US; Redmi Note 4 Build\/MRA58\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002225cfa7dff61018dc5243b7b3df61724adca719fe\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/build\/.env\u0022, \u0022request_line\u0022: \u0022GET \/build\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 6.0; en-US; Redmi Note 4 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/build\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 6.0; en-US; Redmi Note 4 Build\/MRA58\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/build\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/build\/.env\u0022, \u0022request_line\u0022: \u0022GET \/build\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 6.0; en-US; Redmi Note 4 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/build\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/build\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 6.0; en-US; Redmi Note 4 Build\/MRA58\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 6.0; en-US; Redmi Note 4 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":315},{"id":8910638,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40426,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/dashboard\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00229a56d64b4af88a0d635b4c8c20b317ece2545233\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022a0df23adcbc250d22f3ea9c43cd45132cd7d119e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 271, \u0022payload_entropy\u0022: 5.379148181793531, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228cd9715693a6a62634a9a62071d2924ebc075aa9\u0022, \u0022event_fingerprint\u0022: \u002227225256964769c2764663ff70fd1736dab986fe\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00224121f4b1882411f284b985166883864d\u0022, \u0022payload_hash\u0022: \u0022003df1c87f97545dd64f22494ba5ef85\u0022, \u0022path_pattern_hash\u0022: \u002290b830636acb1be7da7ed46e94f3bb1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/dashboard\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleW\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dashboard\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/dashboard\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dashboard\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnec\u0022, \u0022payload_snippet\u0022: \u0022GET \/dashboard\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleW\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dashboard\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/dashboard\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dashboard\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnec\u0022, \u0022payload_snippet\u0022: \u0022GET \/dashboard\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleW\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002266c2e8e5e268132e8644ba295117acb0e6705715\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dashboard\/.env\u0022, \u0022request_line\u0022: \u0022GET \/dashboard\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/1\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/dashboard\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleW\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/dashboard\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dashboard\/.env\u0022, \u0022request_line\u0022: \u0022GET \/dashboard\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/1\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/dashboard\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/dashboard\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleW\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_traefik\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_traefik\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":271},{"id":8910639,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40458,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/portal\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00223193618939b6335e1b558e3963348f9119abb96c\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u002225e9d50bacd292841afcec6b93bcba6a1f6790d4\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 273, \u0022payload_entropy\u0022: 5.422393505083628, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u00220035921b13f6d2fa7e3d224a116b9b09e631743c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022679e177f8419850897b7d280f4c5074c\u0022, \u0022payload_hash\u0022: \u0022e801cbe3b03b2062f0ce4b1410e74d25\u0022, \u0022path_pattern_hash\u0022: \u00228432e822d78216a6822b5a443dbf894c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/portal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/portal\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/portal\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/portal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConn\u0022, \u0022payload_snippet\u0022: \u0022GET \/portal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/portal\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/portal\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/portal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConn\u0022, \u0022payload_snippet\u0022: \u0022GET \/portal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224bbc9e8549e6ac6882c778949da24caca39f555b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/portal\/.env\u0022, \u0022request_line\u0022: \u0022GET \/portal\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Y\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/portal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/portal\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/portal\/.env\u0022, \u0022request_line\u0022: \u0022GET \/portal\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Y\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/portal\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/portal\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":273},{"id":8910640,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40450,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/cms\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00222deed173bb925d20f21a83da5f9cf73a649295f0\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u002283c0a8815eca606b22325f7ae33170918a4904ee\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 232, \u0022payload_entropy\u0022: 5.428818220669784, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022f0b4af499a9ed1b3a778d0f0b9b53d967aa3875e\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002225284458924ee287b259c1d34e26087f\u0022, \u0022payload_hash\u0022: \u002249d71a1dd489acb486e4de3b3b8373a8\u0022, \u0022path_pattern_hash\u0022: \u0022202848a338e2a8411edbe9c852ffc90f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/cms\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gec\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cms\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/cms\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cms\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cms\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cms\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/cms\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cms\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cms\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gec\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b9c9e3e2a8dc316a4ce9e5999051690b304cd8b9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cms\/.env\u0022, \u0022request_line\u0022: \u0022GET \/cms\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cms\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gec\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cms\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cms\/.env\u0022, \u0022request_line\u0022: \u0022GET \/cms\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cms\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cms\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gec\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (X11; U; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/14.0.835.94 Safari\/535.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":232},{"id":8910641,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40544,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/sendgrid\/.env.local","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022local\u0022, \u0022http_ua_hash\u0022: \u0022eaffd19466b40201afc74c1895732f48a659310f\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022767e9db7005d9cdf6cd3331a30730b9d5e7035c7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 268, \u0022payload_entropy\u0022: 5.422984081708327, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022f46eb5363d147eb6136fff1c530c5a53d9d07ed2\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f8a8bea4d7391eb9891620a4be35b125\u0022, \u0022payload_hash\u0022: \u0022db20cd47ed6decc27884c6ecca5132a7\u0022, \u0022path_pattern_hash\u0022: \u00228797b46839a2325b1bc3ba5ac4c03fde\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/sendgrid\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) A\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sendgrid\/.env.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/sendgrid\/.env.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sendgrid\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnectio\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) A\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sendgrid\/.env.local\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/sendgrid\/.env.local HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sendgrid\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnectio\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) A\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e08db05ea6db14a4f47931667500214afe5ed7b3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sendgrid\/.env.local\u0022, \u0022request_line\u0022: \u0022GET \/sendgrid\/.env.local HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Saf\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) A\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sendgrid\/.env.local\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sendgrid\/.env.local\u0022, \u0022request_line\u0022: \u0022GET \/sendgrid\/.env.local HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Saf\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sendgrid\/.env.local\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid\/.env.local HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) A\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":268},{"id":8910642,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40480,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/data\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00225b8e3c220372e26ea185b50f69f0e65c363d4ca5\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022e54cfac955f5c42596d11eab4b07481d7b35d55b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 250, \u0022payload_entropy\u0022: 5.405633186487282, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022d700ba23e0e8ec7ab471d1d726d1aaf098bcc8f4\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226719986fa982ac52fdcd56844990490b\u0022, \u0022payload_hash\u0022: \u00220507ce787450f3433aa0c2e8a274ba42\u0022, \u0022path_pattern_hash\u0022: \u002224a4726ce7edb9d3428cf8684d193cc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/data\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/data\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/data\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/data\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/data\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/data\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/data\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/data\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/data\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e1a78be047fad1c9c41f5ddcefeac69959a9786a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/data\/.env\u0022, \u0022request_line\u0022: \u0022GET \/data\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/data\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/data\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/data\/.env\u0022, \u0022request_line\u0022: \u0022GET \/data\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/data\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/data\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":250},{"id":8910643,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40504,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/uploads\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022b5d3160edbd9ec3290854f4652f5eeceabb1af03\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022ce47452b1fa5a36e3e2ab6ad357d27ce11d38e66\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 200, \u0022payload_entropy\u0022: 5.23047310988151, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002235368f6d19a5f9fae29601fa972c8b6b1e142fb8\u0022, \u0022event_fingerprint\u0022: \u0022fc8d5142e9e9bd4aba4ee5d066448099c68f1f38\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220a43cd980fc948b1efc5a6d8ad95958f\u0022, \u0022payload_hash\u0022: \u00229f18dc9b0ce2ba0f200c2817312638b6\u0022, \u0022path_pattern_hash\u0022: \u002212e1063037a0428b03f9617844274d0a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/uploads\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/4\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/uploads\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/uploads\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/uploads\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/uploads\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/4\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/uploads\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/uploads\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/uploads\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/uploads\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/4\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ef6893fa704609f286b4ca4953c5ede6744788ce\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/uploads\/.env\u0022, \u0022request_line\u0022: \u0022GET \/uploads\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/uploads\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/4\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/uploads\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/uploads\/.env\u0022, \u0022request_line\u0022: \u0022GET \/uploads\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/uploads\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/uploads\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/4\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_uploads\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Android 6.0.1; Mobile; rv:48.0) Gecko\/48.0 Firefox\/48.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_uploads\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":200},{"id":8910644,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40558,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/config\/.env.production","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022production\u0022, \u0022http_ua_hash\u0022: \u0022e6f70c85d2fa5a441c4d7e1553dcd1193756c7bb\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022b18d8885bb1938ef9b65748771cc7ca2b2b01916\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 280, \u0022payload_entropy\u0022: 5.421028240832563, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227153aae7eef41add9af40a2b5e51a8c1090fdb3e\u0022, \u0022event_fingerprint\u0022: \u00223cfda8499aafa813c29e400a608c30d44418c0ea\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b41ee721ba21f7fa421c347798c990e5\u0022, \u0022payload_hash\u0022: \u0022c533dbc30f1aab483916bc2955d058ad\u0022, \u0022path_pattern_hash\u0022: \u002213dc0331670030f34544b2533e91efac\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/config\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/config\/.env.production\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/config\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzi\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/config\/.env.production\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/config\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzi\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002261aeaf50968515822a652e2e2f05a5f4975a6d8f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/config\/.env.production\u0022, \u0022request_line\u0022: \u0022GET \/config\/.env.production HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 M\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/config\/.env.production\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/config\/.env.production\u0022, \u0022request_line\u0022: \u0022GET \/config\/.env.production HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 M\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/config\/.env.production\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_config\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_config\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":280},{"id":8910645,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40526,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/apps\/frontend\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00227c438c03a8b477c6762c4303fa40e84098af9d8b\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022ba0ce57a366071a1ca1afd15a1a01a04ccdd2335\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 259, \u0022payload_entropy\u0022: 5.421986740491102, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u00220f3762a7c4130a2361126d1f70d9491401ac0ea1\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220c9ea2b546327c212601016ca4028695\u0022, \u0022payload_hash\u0022: \u0022f66d2b62c64d28de5312d65f57b8e74e\u0022, \u0022path_pattern_hash\u0022: \u0022a541762358ad3d2463e9e9180528a6a3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/apps\/frontend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/apps\/frontend\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/apps\/frontend\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/apps\/frontend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/apps\/frontend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/apps\/frontend\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/apps\/frontend\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/apps\/frontend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/apps\/frontend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ffd42b6aebe6735a3b1df0545acf16baf9f5352c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/apps\/frontend\/.env\u0022, \u0022request_line\u0022: \u0022GET \/apps\/frontend\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/apps\/frontend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apps\/frontend\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/apps\/frontend\/.env\u0022, \u0022request_line\u0022: \u0022GET \/apps\/frontend\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apps\/frontend\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/apps\/frontend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":259},{"id":8910646,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40548,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/wp\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022fad6576335f51728e462a2322cfffa453d91466c\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022ac9f3e6c6c68e068721388888a9710fa61a49772\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.407947557782378, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002273432212e528996aeca050b5acb7aa9ab9a8ae3a\u0022, \u0022event_fingerprint\u0022: \u0022a9f3f484cb26d4bc83085dbebce5cffae2853935\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222bab32c41672d1f63eb24e4bd5a6a542\u0022, \u0022payload_hash\u0022: \u00226a772594d8d67f99ca3b064a3d12291e\u0022, \u0022path_pattern_hash\u0022: \u00220151780c15d45702ae9dc50e582e8700\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/wp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LG-H930) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wp\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; LG-H930) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/wp\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LG-H930) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LG-H930) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wp\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; LG-H930) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/wp\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LG-H930) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LG-H930) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223dbfd69505cb52250a25cb9d95fe632e9301487d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wp\/.env\u0022, \u0022request_line\u0022: \u0022GET \/wp\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; LG-H930) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/wp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LG-H930) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wp\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wp\/.env\u0022, \u0022request_line\u0022: \u0022GET \/wp\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; LG-H930) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wp\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/wp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LG-H930) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_wordpress\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; LG-H930) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_probe_wordpress\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":247},{"id":8910647,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40534,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/apps\/backend\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00223c19797de22e4f42db10a5014920d480b7a5110e\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00225342af8e96c105cf859dad12eed2c40aaf87d35d\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.402990105184717, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022400d35f1a079c6dd9134379f4ee5ef0917362384\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022de47bd409216bf5b50e9ce3ba1928ac1\u0022, \u0022payload_hash\u0022: \u00220b6546a956b7bcd7be69e0f6c2e527c1\u0022, \u0022path_pattern_hash\u0022: \u0022cfddbf55f677ac93c8dcc5d08054758b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/apps\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/apps\/backend\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/apps\/backend\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/apps\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/apps\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/apps\/backend\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/apps\/backend\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/apps\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/apps\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ff969950852780cdacd9ac47af997d6bdf50479a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/apps\/backend\/.env\u0022, \u0022request_line\u0022: \u0022GET \/apps\/backend\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/apps\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apps\/backend\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/apps\/backend\/.env\u0022, \u0022request_line\u0022: \u0022GET \/apps\/backend\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/apps\/backend\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/apps\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":252},{"id":8910648,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40490,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/services\/api\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00220e7de72b8ef4a9b8957b37b75778884585397773\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022450e32f1680bf647be59805b14bbd52061e00349\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 259, \u0022payload_entropy\u0022: 5.407713392033296, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022bd0c2495468b169b08af77d17c3ab577b9525d7f\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226690acdea303b023ee630ce67a65f680\u0022, \u0022payload_hash\u0022: \u0022088ecba5cb80fde5e0376d972282f84e\u0022, \u0022path_pattern_hash\u0022: \u00229a476469205a3b7d9994ebc8d35d13e6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/services\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.8 (KHTML\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/services\/api\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.8 (KHTML, like Gecko) Beamrise\/17.2.0.9 Chrome\/17.0.939.0 Safari\/535.8\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/services\/api\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/services\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.8 (KHTML, like Gecko) Beamrise\/17.2.0.9 Chrome\/17.0.939.0 Safari\/535.8\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/services\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.8 (KHTML\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/services\/api\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.8 (KHTML, like Gecko) Beamrise\/17.2.0.9 Chrome\/17.0.939.0 Safari\/535.8\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/services\/api\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/services\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.8 (KHTML, like Gecko) Beamrise\/17.2.0.9 Chrome\/17.0.939.0 Safari\/535.8\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/services\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.8 (KHTML\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002200b3ffe806596bd14564f5bfc45cbbcf91a69327\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/services\/api\/.env\u0022, \u0022request_line\u0022: \u0022GET \/services\/api\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.8 (KHTML, like Gecko) Beamrise\/17.2.0.9 Chrome\/17.0.939.0 Safari\/53\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/services\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.8 (KHTML\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/services\/api\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/services\/api\/.env\u0022, \u0022request_line\u0022: \u0022GET \/services\/api\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.8 (KHTML, like Gecko) Beamrise\/17.2.0.9 Chrome\/17.0.939.0 Safari\/53\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/services\/api\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/services\/api\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.8 (KHTML\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/535.8 (KHTML, like Gecko) Beamrise\/17.2.0.9 Chrome\/17.0.939.0 Safari\/535.8","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":259},{"id":8910649,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40514,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/storage\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00226d10ed516e2c23ca8f7bde0be44e14eb0b92730a\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022b8ca2ea5c794124cded93c100b20da74277adc4e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 278, \u0022payload_entropy\u0022: 5.357282526680888, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022f1b365dc1035f3c64025acd4851411537eaf0ae0\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00227523c5d32d67d6334420581b77fccf10\u0022, \u0022payload_hash\u0022: \u00226d3339f213f1e2b75bc831e65d751cc4\u0022, \u0022path_pattern_hash\u0022: \u0022450e48008d46f59e9e14143fd8de05b2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/storage\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) A\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/storage\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 Mobile\/5A347 Safari\/525.200\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/storage\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/storage\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 Mobile\/5A347 Safari\/525.200\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/storage\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) A\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/storage\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 Mobile\/5A347 Safari\/525.200\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/storage\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/storage\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 Mobile\/5A347 Safari\/525.200\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/storage\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) A\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a08a04a4d015eee7e22d322171f3bf54b0c028c3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/storage\/.env\u0022, \u0022request_line\u0022: \u0022GET \/storage\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 \u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/storage\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) A\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/storage\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/storage\/.env\u0022, \u0022request_line\u0022: \u0022GET \/storage\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 \u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/storage\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/storage\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) A\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (iPhone; U; CPU iPhone OS 2_0 like Mac OS X; en-us) AppleWebKit\/525.18.1 (KHTML, like Gecko) Version\/3.1.1 Mobile\/5A347 Safari\/525.200","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":278},{"id":8910650,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40556,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/web\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00223193618939b6335e1b558e3963348f9119abb96c\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u002247bcdedb3b954688023f733564a003e944c34a32\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 270, \u0022payload_entropy\u0022: 5.431974931143035, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022cbcb214855d2b3840f8ebf4a51da6f28e83db14c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022679e177f8419850897b7d280f4c5074c\u0022, \u0022payload_hash\u0022: \u0022d220adfad284c3ec53d5906ecc68abf2\u0022, \u0022path_pattern_hash\u0022: \u0022d80a28198e7c3b2ce080248f274b9024\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/web\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/web\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnect\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/web\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnect\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ddf8b4c63536ef632c1a10846cebcaf6abe90951\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/web\/.env\u0022, \u0022request_line\u0022: \u0022GET \/web\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Y\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/web\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/web\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/web\/.env\u0022, \u0022request_line\u0022: \u0022GET \/web\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Y\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/web\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/web\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":270},{"id":8910651,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40476,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/temp\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00228a0d3c36d342e07fca0f4e338490cf64702e86ff\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022a617862b9702a5eb0473c44d9afaf4e0da55a075\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 283, \u0022payload_entropy\u0022: 5.459196621012895, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022d3313530caa7c4cb4c0fd6896c43845686a4481d\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002206f2d4a7b4271764433eb31e4582226a\u0022, \u0022payload_hash\u0022: \u002261b1fe3d75d2d15893e692278b89c381\u0022, \u0022path_pattern_hash\u0022: \u002275ee17153df3d0dbe793fbb0bd486a6b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/temp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/temp\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/19.6.0.1583 Yowser\/2.5 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/temp\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/temp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/19.6.0.1583 Yowser\/2.5 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/temp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/temp\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/19.6.0.1583 Yowser\/2.5 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/temp\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/temp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/19.6.0.1583 Yowser\/2.5 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/temp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227dda02882dba88f20d3411ecacc4fdabaf2a8962\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/temp\/.env\u0022, \u0022request_line\u0022: \u0022GET \/temp\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/1\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/temp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/temp\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/temp\/.env\u0022, \u0022request_line\u0022: \u0022GET \/temp\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/1\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/temp\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/temp\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 YaBrowser\/19.6.0.1583 Yowser\/2.5 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":283},{"id":8910652,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40766,"dst_port":6000,"service":"http","classification":"http_flood","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/sendgrid.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022ee51e06bab42e31123dc56d3e7441fe31d3bdca8\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00223719861ea949dc2f70a7ae8ced2a838a6837f706\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 221, \u0022payload_entropy\u0022: 5.235626252495559, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002235710d6d55c00375c8b01901907a562f82ebc055\u0022, \u0022event_fingerprint\u0022: \u0022e95ca6e23bdba8d3226e9dca995de777fe5dd413\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 177, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00227c03a0ceb5e41705263eecefeb91e5ab\u0022, \u0022payload_hash\u0022: \u002233cfd2c40643d1386ed56824e2c116f2\u0022, \u0022path_pattern_hash\u0022: \u0022ca36907c59a1a3482046c81a2d773198\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/200807\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/200807\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/200807\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022700c6956786cc0da4a99c93a7c8275c79360525f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/200807\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sendgrid.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sendgrid.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/200807\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":7,"bytes_in":221},{"id":8910653,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40722,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":35,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/sendgrid\/.env.production","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022production\u0022, \u0022http_ua_hash\u0022: \u002236b2c5972533af7e5956297807b2c33aa9477160\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u002215c901ce89f04ab49d92ce30544afd5e7fe875d5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 317, \u0022payload_entropy\u0022: 5.4200597376476, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc83b3e8a0c0f66ab5699ac1ad40677883f0c12e\u0022, \u0022event_fingerprint\u0022: \u00222221c4be99f450ec08c0ef7e898eb2aeb0a66be0\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022547390dc24dabcde99bb415ff353ef57\u0022, \u0022payload_hash\u0022: \u00225af5ddf28b1dacf7f4d7c62fbd373c1d\u0022, \u0022path_pattern_hash\u0022: \u0022372a0d709ccb756df0c1c71eb9496ec6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/sendgrid\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.0\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sendgrid\/.env.production\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/sendgrid\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sendgrid\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba\\r\\nAccept\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sendgrid\/.env.production\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/sendgrid\/.env.production HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sendgrid\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba\\r\\nAccept\u0022, \u0022payload_snippet\u0022: \u0022GET \/sendgrid\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.0\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a978bb579685aa3037ba3893a1a42bcadb1338e5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sendgrid\/.env.production\u0022, \u0022request_line\u0022: \u0022GET \/sendgrid\/.env.production HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHT\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.0\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sendgrid\/.env.production\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sendgrid\/.env.production\u0022, \u0022request_line\u0022: \u0022GET \/sendgrid\/.env.production HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHT\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sendgrid\/.env.production\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sendgrid\/.env.production HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.0\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":317},{"id":8910654,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40760,"dst_port":6000,"service":"http","classification":"http_flood","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/app\/sendgrid.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u002237a14ab67d3294a3b44a0052de24249abeddc0b7\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022c4e386f94f6eeabfd7559193ad14662c752c4a14\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.391974806523974, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 63, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221c2802767afe3133890fce0834374b386210600f\u0022, \u0022event_fingerprint\u0022: \u0022953f90246c95a3c09114add5420234961a5a3a48\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 177, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221ccd4ec1df8c467e14234584945653a1\u0022, \u0022payload_hash\u0022: \u00221c05bd0abb2db6a1fa5b6ac0928a30f6\u0022, \u0022path_pattern_hash\u0022: \u00226261a164ed75d70d1161dccf152278f4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 63}, \u0022payload_preview\u0022: \u0022GET \/app\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.146 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/app\/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.146 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.146 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/app\/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.146 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cddba29751b063ff057fabdc29dd34de50edf333\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/app\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/app\/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.146 Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/app\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\/sendgrid.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 63, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/app\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/app\/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.146 Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\/sendgrid.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/app\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.146 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":251},{"id":8910655,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40662,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/services\/backend\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u002264a327cf48adaea4eba4fb6a97f4e5e5d16c3d84\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022bff52174bd71304ed2bfcd7637238e2def0caff3\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 258, \u0022payload_entropy\u0022: 5.389952845418711, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u0022f025e4b58bfb247f0d3a47ea47a9228ee7d42099\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022508d1061f77f6b94259663e34afad01e\u0022, \u0022payload_hash\u0022: \u0022d0cd9e05ea4fd990df24e9b3f25c2359\u0022, \u0022path_pattern_hash\u0022: \u00225b9b007f982aa0909ed1fcbe7f087982\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/services\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/services\/backend\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/services\/backend\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/services\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/services\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/services\/backend\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/services\/backend\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/services\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/services\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a2d90e898ba57d2257b47b2ff130e78192b837ac\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/services\/backend\/.env\u0022, \u0022request_line\u0022: \u0022GET \/services\/backend\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/services\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/services\/backend\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/services\/backend\/.env\u0022, \u0022request_line\u0022: \u0022GET \/services\/backend\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/services\/backend\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/services\/backend\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; MI 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":258},{"id":8910656,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40672,"dst_port":6000,"service":"http","classification":"http_flood","waf_score":23,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/sendgrid.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u002223a822de2ed816c92112ae57dc0233cb940b3215\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00228149e0a81645028a99dab3a9f8706cae00eb175a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 209, \u0022payload_entropy\u0022: 5.253897290220575, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002206200243d042d7b50d30d49ad54646aa0bc3b574\u0022, \u0022event_fingerprint\u0022: \u00228a733cfdb98da0773ec2d85f0136cacd0f68611f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 177, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b5ce20ec335f9cec50b5780e9e056899\u0022, \u0022payload_hash\u0022: \u002227d6fd31d775953088b28707696179d8\u0022, \u0022path_pattern_hash\u0022: \u0022bd5f833bf1b56cd8bb63ce4b1b4efaea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/api\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0 \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0 Firefox\/16.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0 Firefox\/16.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0 Firefox\/16.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0 Firefox\/16.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225b040a125bf5c7726ceb94ae388157b1194a6116\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/api\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/api\/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0 Firefox\/16.0\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/sendgrid.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/api\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/api\/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0 Firefox\/16.0\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/sendgrid.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_probe_api\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:16.0) Gecko\/16.0 Firefox\/16.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950600:k8s-api\u0022, \u0022http_probe_api\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":209},{"id":8910657,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40708,"dst_port":6000,"service":"http","classification":"http_flood","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/src\/sendgrid.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022cd081cf32c7af044352f8b2856a18f1824db007f\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u002265ab1a4a4b69eaa754edacfbad2ed06d355ae77f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 256, \u0022payload_entropy\u0022: 5.410225583311578, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 63, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221c2802767afe3133890fce0834374b386210600f\u0022, \u0022event_fingerprint\u0022: \u0022a67b0807dd8cee9906f7a1296124427a33c48c7a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 177, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022233ef1c039aaa5ebdc8ce5615d566cc2\u0022, \u0022payload_hash\u0022: \u0022969ba186c0fe72a3029ad001c48e4294\u0022, \u0022path_pattern_hash\u0022: \u002237297d51019b5c4aaeb2b2f7ef330082\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 63}, \u0022payload_preview\u0022: \u0022GET \/src\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (K\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/src\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/src\/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/src\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/src\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (K\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/src\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/src\/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/src\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/src\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (K\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d65d7262687771824683cb37ae471c00d2415720\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/src\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/src\/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/src\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (K\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/src\/sendgrid.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 63, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/src\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/src\/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/src\/sendgrid.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/src\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (K\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; RMX1801) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":256},{"id":8910658,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40688,"dst_port":6000,"service":"http","classification":"http_flood","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/sendgrid.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022cdc866193a6d6b57fc97b22f77f11b0377b02f90\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022442d1e47f2d87d2eb61cbc03306278922032dd94\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 183, \u0022payload_entropy\u0022: 5.268533157979189, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022497817e12e8ecd0d51f8fa2d496126f0ad01d88a\u0022, \u0022event_fingerprint\u0022: \u00228444e43fde80cb6ff44ca5a0f39f9922d74c0728\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 177, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e107c4c62744655755dad780f4736840\u0022, \u0022payload_hash\u0022: \u0022fdf2b1c847435312d8ea089782fa967a\u0022, \u0022path_pattern_hash\u0022: \u0022063c352cd871139979301d261825ea56\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/config\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23\\r\\nAccept-Chars\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/config\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/config\/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23\\r\\nAccept-Chars\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/config\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/config\/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/config\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/config\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23\\r\\nAccept-Chars\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002276aea61fd235aaf24f3e08bfbf81b8a49f812371\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/config\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/config\/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/config\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23\\r\\nAccept-Chars\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/config\/sendgrid.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/config\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/config\/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/config\/sendgrid.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/config\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23\\r\\nAccept-Chars\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"MSIE (MSIE 6.0; X11; Linux; i686) Opera 7.23","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":7,"bytes_in":183},{"id":8910659,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40648,"dst_port":6000,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022]","http_method":"GET","http_target":"\/services\/auth\/.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022e596f3886a524289afe7da407c4c19cb47348c57\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u002209b20d19aa313f464eacd68829b3fab12fccb496\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 206, \u0022payload_entropy\u0022: 5.270018433039415, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229619569dcaf0b8f5fa13e930e5a1bad198a784b9\u0022, \u0022event_fingerprint\u0022: \u002224cce60873abe71d4680fb8a972e95936e4d37a7\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022dec4fdf6408be2ff275246ae930c1855\u0022, \u0022payload_hash\u0022: \u0022945bcc3d94b313f7068829aaba6d84b6\u0022, \u0022path_pattern_hash\u0022: \u0022465b6d455db6ce12c0bb2d49f4cfba7e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/services\/auth\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Fir\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/services\/auth\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/services\/auth\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/services\/auth\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/services\/auth\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Fir\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/services\/auth\/.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-1\u0022], \u0022request_line\u0022: \u0022GET \/services\/auth\/.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/services\/auth\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/services\/auth\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Fir\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225c42947b20e720c042e3deecb761b7ffa3cddb2b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/services\/auth\/.env\u0022, \u0022request_line\u0022: \u0022GET \/services\/auth\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/services\/auth\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Fir\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/services\/auth\/.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/services\/auth\/.env\u0022, \u0022request_line\u0022: \u0022GET \/services\/auth\/.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/services\/auth\/.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/services\/auth\/.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Fir\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:55.0) Gecko\/20100101 Firefox\/55.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950514:leak-1\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":206},{"id":8910660,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40692,"dst_port":6000,"service":"http","classification":"http_flood","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/.sendgrid.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022af95654136764219f3e1be062b59f67c138da948\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00228f07a946eac55a0d93410b891e5fe6efec058843\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 220, \u0022payload_entropy\u0022: 5.341658532377735, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002235710d6d55c00375c8b01901907a562f82ebc055\u0022, \u0022event_fingerprint\u0022: \u002297420e9e61dd3e509f36bf5a28472648e8209a48\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 177, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226ad009cbfe015d0ea51aa1bd68d4dfd3\u0022, \u0022payload_hash\u0022: \u0022b5ae3d5f6c6b46fa6c839d10a64f18f7\u0022, \u0022path_pattern_hash\u0022: \u00224d50e820d719289a3d1db022acb55ec6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/.sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/.sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/.sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a7209298dc36954d8797979300265d888d9d19dd\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/.sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/.sendgrid.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/.sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/.sendgrid.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko\/2008092814 (Debian-3.0.1-1)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":7,"bytes_in":220},{"id":8910661,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40736,"dst_port":6000,"service":"http","classification":"http_flood","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/mailer\/sendgrid.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u0022f8985d90f719a409268dbb04a717ddaa35f0fbe3\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u00220d804ea4366c582b0f223f08078e10e564e8a42a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 298, \u0022payload_entropy\u0022: 5.477690239491585, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 63, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221c2802767afe3133890fce0834374b386210600f\u0022, \u0022event_fingerprint\u0022: \u00220f5669e83725f50621e9ec1ab58aa7e8373a4d2d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 177, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022afe00c22406b8bb2bbedc2386b0d3fa6\u0022, \u0022payload_hash\u0022: \u00226455bc3d0ef958493e9d1308906769f5\u0022, \u0022path_pattern_hash\u0022: \u002266c1a617012ac9022dbc5b268897d59c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 63}, \u0022payload_preview\u0022: \u0022GET \/mailer\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T530NU Build\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/mailer\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T530NU Build\/LRX22G) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/3.2 Chrome\/38.0.2125.102 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/mailer\/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/mailer\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T530NU Build\/LRX22G) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/3.2 Chrome\/38.0.2125.102 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAc\u0022, \u0022payload_snippet\u0022: \u0022GET \/mailer\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T530NU Build\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/mailer\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T530NU Build\/LRX22G) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/3.2 Chrome\/38.0.2125.102 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/mailer\/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/mailer\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T530NU Build\/LRX22G) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/3.2 Chrome\/38.0.2125.102 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAc\u0022, \u0022payload_snippet\u0022: \u0022GET \/mailer\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T530NU Build\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228d5890c3cb0d514832a44c5c73443b87fd47d57e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/mailer\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/mailer\/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T530NU Build\/LRX22G) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowse\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/mailer\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T530NU Build\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mailer\/sendgrid.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 63, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/mailer\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/mailer\/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T530NU Build\/LRX22G) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowse\u2026\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mailer\/sendgrid.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/mailer\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T530NU Build\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Linux; Android 5.0.2; SAMSUNG SM-T530NU Build\/LRX22G) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/3.2 Chrome\/38.0.2125.102 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":298},{"id":8910662,"ip":"34.95.202.70","ts":"2026-06-14 14:08:55.000000","proto":"tcp","src_port":40778,"dst_port":6000,"service":"http","classification":"http_flood","waf_score":12,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/mail\/sendgrid.env","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022env\u0022, \u0022http_ua_hash\u0022: \u00221d1f517f0c4d83a6ee1edd950ae4abac782aea2c\u0022, \u0022http_host_hash\u0022: \u00229d347d028c377ce68c7f996bd692f8cf5d190493\u0022, \u0022http_target_hash\u0022: \u0022918fb0707c3047f4a464183e84e60c7ef822770a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 254, \u0022payload_entropy\u0022: 5.361926573655311, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 6000, \u0022risk_waf\u0022: 56.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 56.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221e3e4f6ed236382095035e1ab10c76c64da5de95\u0022, \u0022event_fingerprint\u0022: \u0022c2f6b524eddb1003ec0641fbfd8fd7c0e264f734\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3 \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 122, \u0022precision_signals\u0022: [\u0022MITRE-T1499\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1499\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 56.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002211ad370e5a0b9f0d2ae736b41231fe52\u0022, \u0022payload_hash\u0022: \u00226c35ab757d06edfbe18923ad6c391793\u0022, \u0022path_pattern_hash\u0022: \u0022b9496c7b6aaeb3d017c2f794092f550b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET \/mail\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/mail\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/mail\/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/mail\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/mail\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/mail\/sendgrid.env\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/mail\/sendgrid.env HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/mail\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/mail\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3 \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1499\u0022], \u0022mitre\u0022: \u0022T1499\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225eda41dc1cf2744b4a62e189a4be40646fed904d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/mail\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/mail\/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/mail\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mail\/sendgrid.env\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3 \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: nosqli-3 \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 56.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6000, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1499\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1499\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1499\u0022, \u0022mitre_technique\u0022: \u0022T1499\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/mail\/sendgrid.env\u0022, \u0022request_line\u0022: \u0022GET \/mail\/sendgrid.env HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240\u0022, \u0022port\u0022: 6000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTP:6000 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mail\/sendgrid.env\u0022, \u0022evidence_snippet\u0022: \u0022GET \/mail\/sendgrid.env HTTP\/1.1\\r\\nHost: 62.3.50.33:6000\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022target_port_label\u0022: \u00226000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_mail\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6000","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_mail\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":6,"bytes_in":254}],"total_events":332}