{"ip":"35.221.148.26","exported_at":"2026-06-18T09:43:27+00:00","period_days":30,"metrics":{"events7d":0,"distinct_ports":0,"distinct_classifications":0,"max_severity":null,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":81,"attack_stage":"exploit_attempt","attack_chain_stage":null,"threat_family":["rce_probe"],"recommended_action":"investigate","confidence":0.89,"risk_breakdown":{"waf":60,"classification":88,"behavior":0,"geo":40,"protocol":25,"novelty":15},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":null,"top_mitre_technique":null,"top_mitre_count":null,"executive_one_liner_fr":"risque 52\/100","campaign_hint_fr":null,"confidence_breakdown":[],"persona_hostname":null,"correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":89,"confidence_hint_fr":null,"sensor_role_label_fr":null,"tags_summary_labels_fr":[],"tags_summary":[],"attack_vector":null,"protocol_details":[],"protocol_summary_fr":null,"evidence_snippet":"GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:2379\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36","target_port_label":"2379","emulator_service":null,"confidence_reason":null,"classification_reason":null,"classification_reason_label_fr":null,"confidence_factors_fr":null,"payload_preview":"GET \/server.pem HTTP\/1.1\r\nHost: 62.3.50.33:2379\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36"},"events":[{"id":8257394,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43592,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/server\/credentials.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u00224249cea9e93ec31f802715b60c697c0db7629406\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u00220448476e8596bfb535234584ac471c02983c6fe7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 258, \u0022payload_entropy\u0022: 5.403923738523618, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e61efc62d01535c4e6fbe8454e919a2b486de4a7\u0022, \u0022event_fingerprint\u0022: \u0022e97c2527c1141f8c38cea21784856e362891aea4\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022280092128e55ed38327a8bfa4e31ba77\u0022, \u0022payload_hash\u0022: \u0022d6363e899f85a7c83e1890486ec7eedf\u0022, \u0022path_pattern_hash\u0022: \u0022017fc0dcd972a4e3aefd53875717b41b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/server\/credentials.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-T819) AppleWebKit\/\u0022, \u0022event_signature\u0022: \u0022162827cec991014d49ac2ad4907a932c2b4b8938\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Linux; Android 7.0; SM-T819) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":258},{"id":8257395,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43602,"dst_port":2379,"service":"tls","classification":"syn_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.842346797828931, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 79.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 79.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ea92e9a01afdfaf4a8f8323f4aa8fc7e6210a798\u0022, \u0022event_fingerprint\u0022: \u0022ed512752271fda2eb0913bd07e4a5caeb0461dd3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00229d7bc1def9f6921d456e9d8371b2ae5c\u0022, \u0022path_pattern_hash\u0022: \u002218ea0213c0d23e39dd8461c4478348f1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022tls\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdH\u0027\ufffdk\ufffd:J\u003CI\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$\\u000e\u078f\\u0006\ufffd\ufffd\u0026\ufffd.\ufffd\\u0014}-[ e\ufffd\ufffd\\u0010\ufffd\ufffd\/\ufffd{\ufffd\u177f\ufffd\ufffd\ufffd\\u000f\u991b\ufffd4\ufffd\ufffd\u071c\ufffd\ufffd#\ufffdy\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022event_signature\u0022: \u00225d48463ee45e5c20b045d89a4f6bca00cbe41cf8\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":7,"bytes_in":239},{"id":8257396,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43596,"dst_port":2379,"service":"tls","classification":"syn_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.875530039454857, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 79.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 79.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ea92e9a01afdfaf4a8f8323f4aa8fc7e6210a798\u0022, \u0022event_fingerprint\u0022: \u0022ed512752271fda2eb0913bd07e4a5caeb0461dd3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00226860df4c2782cbab0fa8caa81e4d9ad3\u0022, \u0022path_pattern_hash\u0022: \u002218ea0213c0d23e39dd8461c4478348f1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022tls\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003UR` \ufffd\ufffd\ufffd\u0464;\ufffdRD\ufffdh:\u03bc\ufffd\u0027\ufffd\ufffd.\ufffdd\ufffd\ufffd\ufffd}\\u0005\ufffd\ufffd dv\ufffd\ufffd*\u6ddau\\u001d%`\ufffd\ufffd\ufffd(\u07cc9\\u00138\u01eb\ufffd\ufffd\ufffd\u01e9o\ufffdO\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022event_signature\u0022: \u00225a1cc1538590ecb25a666c68ae95a9c03ef220ee\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":7,"bytes_in":239},{"id":8257397,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43608,"dst_port":2379,"service":"tls","classification":"syn_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.827214096449271, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 79.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 79.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ea92e9a01afdfaf4a8f8323f4aa8fc7e6210a798\u0022, \u0022event_fingerprint\u0022: \u0022ed512752271fda2eb0913bd07e4a5caeb0461dd3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022070e0c21ac9c9aed9a1444130dcb1d24\u0022, \u0022path_pattern_hash\u0022: \u002218ea0213c0d23e39dd8461c4478348f1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022tls\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd::\ufffd*$\/\\r\\u0011R\u0399b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\ufffd\\u0018W\\u0012\ufffdzzm\ufffd \ufffd\ufffd1R1\ufffd\ufffdM\ufffd\ufffd\\u000e\ufffd\ufffd\ufffdh\ufffd\ufffdRJ\u0026\ufffd\\ts\\u0014\\u0016\ufffdIl\ufffd\ufffdGl\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022event_signature\u0022: \u00229b4cefeb33a7d9a65639afdf25b79ec25f78ec2f\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":7,"bytes_in":239},{"id":8257398,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43624,"dst_port":2379,"service":"tls","classification":"syn_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.800588521336035, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 79.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 79.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ea92e9a01afdfaf4a8f8323f4aa8fc7e6210a798\u0022, \u0022event_fingerprint\u0022: \u0022ed512752271fda2eb0913bd07e4a5caeb0461dd3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022362f990e01e6a3e555e53746dd004ad7\u0022, \u0022path_pattern_hash\u0022: \u002218ea0213c0d23e39dd8461c4478348f1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022tls\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdo\ufffd6\ufffd\ufffd:\ufffdnw\ufffd\ufffd\ufffd\\u0016\\u0018\\\\`\ufffd\ufffd\u003CIK\u0141b\ufffd\\u0011\ufffd\\u001a\ufffd\\u0017 -\\\\\ufffd0\\u0007b*2\u0121X\\u0000\\\u0022Y?t\\u0017\ufffd!\\\u0022\\u000b\ufffds\ufffdb\ufffd^\ufffd\ufffd)\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022event_signature\u0022: \u002213a43d8d0a61e2ae697b8db81f4268c6102157eb\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":7,"bytes_in":239},{"id":8257399,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43634,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/config.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u0022afaef0f99cc843a75f3982218f53425fc2283894\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022de9396c02d7e95e2bf1af9f60ce296f0b321d0a5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 223, \u0022payload_entropy\u0022: 5.258635826208793, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002263ec2dacf58c7eb779b0cc6bfcb389bdff3e9b97\u0022, \u0022event_fingerprint\u0022: \u0022f53f1f659a290d1d1319023f4f229d8c5a4ab5bb\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022214fdf6e225ce94d5d66ff75568bb7ac\u0022, \u0022payload_hash\u0022: \u0022def1174ec93df0630a1171979836fd4a\u0022, \u0022path_pattern_hash\u0022: \u00223d1d3f9c6b53a14673a3554e1b4c6dd0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Maemo; Linux armv7l; rv:2.0.1) Gecko\/20100101 \u0022, \u0022event_signature\u0022: \u002239b7b111a33cb4f1f25b141780cf635f2f86bc0f\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Maemo; Linux armv7l; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1 Fennec\/2.0.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":223},{"id":8257401,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43646,"dst_port":2379,"service":"tls","classification":"syn_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.879056604924434, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 79.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 79.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ea92e9a01afdfaf4a8f8323f4aa8fc7e6210a798\u0022, \u0022event_fingerprint\u0022: \u0022ed512752271fda2eb0913bd07e4a5caeb0461dd3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022629a4a5981d841ad9a3b83840383fd73\u0022, \u0022path_pattern_hash\u0022: \u002218ea0213c0d23e39dd8461c4478348f1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022tls\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003(~\ufffd1\\r\\u0018\ufffdm\ufffdo\ufffd\ufffd\ufffd)?*\ufffd22\ufffd\\u0002?\u74ac\ufffdj\ufffd?\ufffd \ufffd#\\u0004\\u000e\u003E\u9e2d\ufffd\\u001aB}\\u0013\ufffd\ufffdmB9\ufffd\ufffd\\u001a 2\ufffd\\t\ufffd\ufffd\ufffd\ufffd)t\\u001f\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022event_signature\u0022: \u002202388bd478775f6d300bdd4e14949e46f99f2df3\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":7,"bytes_in":239},{"id":8257402,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43668,"dst_port":2379,"service":"tls","classification":"syn_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.924698867590898, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 79.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 79.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ea92e9a01afdfaf4a8f8323f4aa8fc7e6210a798\u0022, \u0022event_fingerprint\u0022: \u0022ed512752271fda2eb0913bd07e4a5caeb0461dd3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022e0ebaea8273550aa5f1e79f665421022\u0022, \u0022path_pattern_hash\u0022: \u002218ea0213c0d23e39dd8461c4478348f1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022tls\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u00037d\ufffd\ufffdVf\\u001a\ufffd1V\\u0011\ufffdj\\u0017\\u0018k\ufffd\ufffddK{]\\u000eJ\ufffd\ufffdcs\ufffd\ufffd\u051a N(\ufffd\ufffd\ufffd\ufffd\ufffd\u03db\ufffd$\ufffdg\\u000e\u02eaU\\n\\u000f?\ufffd\ufffd\\u0007\\u0003=\ufffd\ufffd\\b_0D\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022event_signature\u0022: \u00221a701bb225010c011c5554c0a641428b8a4a5d00\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":7,"bytes_in":239},{"id":8257403,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43656,"dst_port":2379,"service":"http","classification":"nosql_injection","waf_score":6,"waf_tags":"[\u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/config.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022dc2254c57026a6b573805dd4fc04df122288ff2e\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u00224b477b42944b87fd4e11e277a534d68f945d83fe\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 146, \u0022payload_entropy\u0022: 5.092544763453592, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 41, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e0c2be6d43da36ca23eeda087ab632bb852d958c\u0022, \u0022event_fingerprint\u0022: \u0022529398997034a321a101a3b851e7c09181cccb9a\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222476ea2a6d4536cbc4b720269faca719\u0022, \u0022payload_hash\u0022: \u0022e48a842ac62929139193d03fc7a5ba98\u0022, \u0022path_pattern_hash\u0022: \u00225e7f381673d898357804d76b7becb05a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022confidence\u0022: 0.74, \u0022classification_confidence\u0022: 0.74, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: w3m\/0.5.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nCon\u0022, \u0022event_signature\u0022: \u0022e54acd83e8b3c3a9bb1df6fe1cbc0f31dbf8c853\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"w3m\/0.5.1","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":146},{"id":8257404,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43678,"dst_port":2379,"service":"tls","classification":"syn_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.8976575967781955, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 79.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 79.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ea92e9a01afdfaf4a8f8323f4aa8fc7e6210a798\u0022, \u0022event_fingerprint\u0022: \u0022ed512752271fda2eb0913bd07e4a5caeb0461dd3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00229e3b6f82407741c301103501f2144e3f\u0022, \u0022path_pattern_hash\u0022: \u002218ea0213c0d23e39dd8461c4478348f1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022tls\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0004v\ufffd\ufffd[\\u0019\ufffd\\fA\u003E\ufffd-\ufffd\u003C\ufffdcf\ufffd\ufffd+\ufffd\u05fc\ufffd\u0156Q\ufffd`LN\ufffd yoq,\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffd\ufffdN\ufffd}\ufffdW\ufffd\\u0005kl\ufffd;\u0026\ufffd\ufffd\ufffd0B\\u0004\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022event_signature\u0022: \u0022cb275bdcd38696571c9c24f9a2fa90df08ed4804\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":7,"bytes_in":239},{"id":8257405,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43690,"dst_port":2379,"service":"tls","classification":"syn_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.884955807996473, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 79.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 79.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ea92e9a01afdfaf4a8f8323f4aa8fc7e6210a798\u0022, \u0022event_fingerprint\u0022: \u0022ed512752271fda2eb0913bd07e4a5caeb0461dd3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022d532e6d2e28071367e3640d5f2df4579\u0022, \u0022path_pattern_hash\u0022: \u002218ea0213c0d23e39dd8461c4478348f1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022tls\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0013\ufffd\ufffd\ufffdU\\u001e\ufffdE~\\u0012uy\ufffd\ufffd\\t\ufffdC\ufffd\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\ufffd\\u001a\ufffd\\u000e\ufffdv 0\ufffd9`\ufffd\ufffdH+~s\ufffd\\fQ@\ufffd\u0448\ufffd\ufffdd\ufffd\ufffd\\u000bp\\u001b\ufffd\ufffd\ufffd\ufffd4\ufffd\\r\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022event_signature\u0022: \u0022f8f1938bec7f2cd3b661b57bc1bf953dcbc92160\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":7,"bytes_in":239},{"id":8257406,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43692,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/settings.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u0022a48e2906a94ec5677ce731233be684b23b9eb4b8\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022418a5f6a5e1110ffbd155bc9313c50008e60f423\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 264, \u0022payload_entropy\u0022: 5.434569347137263, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4585ad4a01e1f7d40f7b5b188e05175b4c7b737\u0022, \u0022event_fingerprint\u0022: \u0022756c891bfe2022dac949556ec40eac839390b8d5\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c75374200fddd57c03fa3f60251c11e5\u0022, \u0022payload_hash\u0022: \u002282d19e95580cb1804aee1f6e0b50af03\u0022, \u0022path_pattern_hash\u0022: \u0022b9b36a42819ef11fa7d42979d581f393\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/settings.php HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KH\u0022, \u0022event_signature\u0022: \u002214b575a52ef2ebd32164ba425e4c57db265be85d\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2272.76 Safari\/537.36 OPR\/28.0.1750.40","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":264},{"id":8257407,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43696,"dst_port":2379,"service":"http","classification":"lfi_attack","waf_score":20,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/server\/database.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u002244700d390ed03b3edb98b4cd0adfb53a6695960d\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022aa0f50eb579ffeade54de0b8a91905c499016135\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 196, \u0022payload_entropy\u0022: 5.356112914167571, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 88.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 88.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ffce30b346d642b080ae335dd91ed48a6582302f\u0022, \u0022event_fingerprint\u0022: \u0022cb470cd5e69064b4cab9d3eacf805cf9612ed949\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223bf9b321eed1f554080acf4067a41273\u0022, \u0022payload_hash\u0022: \u0022a67f339eac0c0a808f3e1cbd93d570ca\u0022, \u0022path_pattern_hash\u0022: \u002271d6b5c79d1b79d1d13caa0c134a8b3a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/server\/database.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.12\\r\u0022, \u0022event_signature\u0022: \u0022c38875d46044ede985302eca0664b80b2ed6519d\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Lynx\/2.8.5rel.1 libwww-FM\/2.14 SSL-MM\/1.4.1 GNUTLS\/0.8.12","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":196},{"id":8257408,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43704,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/server\/secrets.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u00225c96917f2e7233b20b0cc9e93369805d64c81459\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u00225647b3d5d4414e068d63f3478ce1ad7b134bdc0a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 270, \u0022payload_entropy\u0022: 5.411987886498901, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002245ff211aa5857e1a50c6458c37bc675159e9108d\u0022, \u0022event_fingerprint\u0022: \u00224ad42344acb22d55101d00cd4f078722530161af\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ab981d7fe999a1ab3024925533449903\u0022, \u0022payload_hash\u0022: \u00226dc6be650af128cc69d2033e2093dd70\u0022, \u0022path_pattern_hash\u0022: \u0022f81daa0bd66d196382d4552c744f4562\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/server\/secrets.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Buil\u0022, \u0022event_signature\u0022: \u0022193287289bff80cc7e9ae8b0242069fa3c161d3e\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_k8s_probe\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 3.0.1; en-us; GT-P7100 Build\/HRI83) AppleWebkit\/534.13 (KHTML, like Gecko) Version\/4.0 Safari\/534.13","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_k8s_probe\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":270},{"id":8257409,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43708,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00224d2c8205d3aef70e0949276f0e2c286395c7d033\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022b8ef185fa629a44e5f886526b7a4543e57899abc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 272, \u0022payload_entropy\u0022: 5.4246134342687125, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002263ec2dacf58c7eb779b0cc6bfcb389bdff3e9b97\u0022, \u0022event_fingerprint\u0022: \u00221c8a4e9680e64cbe039f150e5c77da1445149fe7\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226c4931ae9201e4d4a33cc801e74d4a5f\u0022, \u0022payload_hash\u0022: \u002282485890cb87dccc6258177b92baa39b\u0022, \u0022path_pattern_hash\u0022: \u002272260f34617018282328c71c36115b23\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/config.php HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, l\u0022, \u0022event_signature\u0022: \u0022f99908a83521754bfd7ae1477bd77b3c879ecb4c\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/65.0.3325.181 Chrome\/65.0.3325.181 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":272},{"id":8257410,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43710,"dst_port":2379,"service":"http","classification":"bot_scraper","waf_score":6,"waf_tags":"[\u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/database.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u0022daab5fc4c467aa8a9daaa85593b1213690dc0e35\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022e700e04925bb0dece8be41de92b622f2cd49e098\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 156, \u0022payload_entropy\u0022: 5.124359271747021, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 35.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 35.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 31, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226db1c2bb7477188e01f51ff265a19447884dcfd9\u0022, \u0022event_fingerprint\u0022: \u0022b50b92ca0d44f53b767894ed1e48982a0a877850\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ad95480a3650d7bcef1897a9a5faf9d5\u0022, \u0022payload_hash\u0022: \u00226a67aed288ddff66bb0b51e411361f0b\u0022, \u0022path_pattern_hash\u0022: \u0022a199a05002f19c0fd144e669de1d6b8d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022spam_abuse\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/database.php HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Python-urllib\/2.5\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding:\u0022, \u0022event_signature\u0022: \u0022c884d11fa2634843e6e68ae8436262143d192519\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022http_ua_bot_scraper\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Python-urllib\/2.5","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022http_ua_bot_scraper\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":4,"bytes_in":156},{"id":8257411,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43716,"dst_port":2379,"service":"tls","classification":"syn_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.868383004721611, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 79.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 79.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ea92e9a01afdfaf4a8f8323f4aa8fc7e6210a798\u0022, \u0022event_fingerprint\u0022: \u0022ed512752271fda2eb0913bd07e4a5caeb0461dd3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00224ecfcddc914752b6614448bf6c9b4f10\u0022, \u0022path_pattern_hash\u0022: \u002218ea0213c0d23e39dd8461c4478348f1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022tls\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\u031a\ufffd\ufffd\ufffd\\u0006.\ufffd\\u0005\\b\ufffd\ufffd\ufffd\ufffd\ufffdFQ\ufffd\\\u0022\ufffd\ufffd\ufffdy\ufffda\\u000f\ufffd~\ufffd\ufffd \ufffd\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\\u0002\ufffd\ufffd#\ufffd\ufffdi$wqz6M\ufffd\ufffd?\ufffdm\ufffd\\u0005\ufffd\ufffdx\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022event_signature\u0022: \u0022201f8c7941c9f6cd59438ff374a910753968938f\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":7,"bytes_in":239},{"id":8257412,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43726,"dst_port":2379,"service":"tls","classification":"syn_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.844701313286441, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 79.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 79.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ea92e9a01afdfaf4a8f8323f4aa8fc7e6210a798\u0022, \u0022event_fingerprint\u0022: \u0022ed512752271fda2eb0913bd07e4a5caeb0461dd3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00224def374f047c0d2a14eb39e2eed9694b\u0022, \u0022path_pattern_hash\u0022: \u002218ea0213c0d23e39dd8461c4478348f1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022tls\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdX\u003El\ufffd\ufffd^\ufffdY\u4733\\u0015\ufffdm{\ufffd\\u0013,\u0026!\\u0015\ufffd\ufffd\ufffd\ufffd]B\ufffd\\u0007t\\u000b 7\\u000f\ufffdv\\u0002#n\ufffd\ufffd\ufffd\ufffd\ufffd\u013d\\u0015K\u03dbMi4\ufffd\u070cv\ufffd\\u001f\ufffd_(\\u0017F\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022event_signature\u0022: \u0022175682d67bafab6b3ffc7125998abf0dcd0e7af7\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":7,"bytes_in":239},{"id":8257413,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43738,"dst_port":2379,"service":"http","classification":"nosql_injection","waf_score":12,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/settings.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u00225213a3dee29390f1601bf050812aaa2f5e3e3acd\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022685504ac0d6e0f8f1fa3f76b520b87d9ae0b417b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 217, \u0022payload_entropy\u0022: 5.252239706231646, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 56.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 56.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a7f4cfe584f8d8ab55a384f5bb5e07a46b54d862\u0022, \u0022event_fingerprint\u0022: \u0022890c0659242182a4752d5280bac66fbddd514182\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022946329703707544255caca1836803207\u0022, \u0022payload_hash\u0022: \u0022bbca966326a4693cfe392053c937995a\u0022, \u0022path_pattern_hash\u0022: \u002267287998b6e12c15adb9346817eff41d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/settings.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/C\u0022, \u0022event_signature\u0022: \u0022e35905de639c9429a62849f9838f9923a694a9f1\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"BlackBerry9700\/5.0.0.351 Profile\/MIDP-2.1 Configuration\/CLDC-1.1 VendorID\/123","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":217},{"id":8257415,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43740,"dst_port":2379,"service":"tls","classification":"syn_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.879571052859225, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 79.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 79.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ea92e9a01afdfaf4a8f8323f4aa8fc7e6210a798\u0022, \u0022event_fingerprint\u0022: \u0022ed512752271fda2eb0913bd07e4a5caeb0461dd3\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022fafdb466df97918a2168fbe02964ad62\u0022, \u0022path_pattern_hash\u0022: \u002218ea0213c0d23e39dd8461c4478348f1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022tls\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003)^\u066c:\ufffd^Q\\u0012i\ufffd\ufffd\ufffd\ufffd\\u0005\\u001b8`[\ufffd}\ufffdj\ufffdt0\ufffdy]\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\/\ufffd\ufffd\\u0013\ufffdV\ufffd(\ufffd\ufffd{7\\u001b\ufffdG\ufffdH;\\t%\ufffd\ufffdp\\u001b%g\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022event_signature\u0022: \u0022d5ce152eb5edd211dc1b595f1152c172d8e1574f\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_flood\u0022, \u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":7,"bytes_in":239},{"id":8257416,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43748,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/database.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022042aea374dea8d91a602a0e615549b479ed19ff2\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022324166cb65153559217bf0708f5a6254e46c2733\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 268, \u0022payload_entropy\u0022: 5.405746190354103, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4585ad4a01e1f7d40f7b5b188e05175b4c7b737\u0022, \u0022event_fingerprint\u0022: \u0022520cae61f34e83cce9354d17e67dd175097e2040\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002200d61033796631745a230211c2789e70\u0022, \u0022payload_hash\u0022: \u0022adfee7081f983e325bb684f4cc0316a8\u0022, \u0022path_pattern_hash\u0022: \u00228e18067a263c70f5df57381290358eb6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/database.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebK\u0022, \u0022event_signature\u0022: \u0022b62ffba13391e8ec5d4d8d0913010314816d8cfa\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":268},{"id":8257417,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43764,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/database.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u002273a913f3f43514206b17b66ce8ea4570141fe17b\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022942ff77c5ee7a45ad41df6b61bbcc8c510b2de01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 222, \u0022payload_entropy\u0022: 5.282036715302616, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4585ad4a01e1f7d40f7b5b188e05175b4c7b737\u0022, \u0022event_fingerprint\u0022: \u0022ac7cb7556c550dca7630a6049bb4a7f97942e544\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a23f789fbcc84a8a6bba1ba09d780825\u0022, \u0022payload_hash\u0022: \u002257d39d6ca10f4076d9a8f13be4148fca\u0022, \u0022path_pattern_hash\u0022: \u0022571ed335a10c7335c4655f72fb6293ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/database.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Ge\u0022, \u0022event_signature\u0022: \u00229d8dae629dacfdf8f942824263f21444eeb2716b\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko\/20100101 Firefox\/40.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":222},{"id":8257418,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43782,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/secrets.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u002212c925cde932675ad2d938b73ea9509ae86f897b\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022d245df2b930ac6e64a12821e6902cce878e9a7ce\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 248, \u0022payload_entropy\u0022: 5.407048496663328, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002240c38516f1db8d896fbe26e05524c27ae8fce2d3\u0022, \u0022event_fingerprint\u0022: \u0022111e1ae50f0c45a5865a4abf576aa6b97dce31c5\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221cabf74e242074910d5c90bc3f85c1e5\u0022, \u0022payload_hash\u0022: \u002280b1ae8f156a9a0ed76d02c8a3bd05bb\u0022, \u0022path_pattern_hash\u0022: \u0022b82ce86956be379e0d4ab3fedf084ba0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/secrets.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKi\u0022, \u0022event_signature\u0022: \u002274db81a81dd1ac16628753e3b5a33d11fdcf8bc2\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_k8s_probe\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit\/125.4 (KHTML, like Gecko, Safari) OmniWeb\/v563.15","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_k8s_probe\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":248},{"id":8257419,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43768,"dst_port":2379,"service":"http","classification":"lfi_attack","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/credentials.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u0022ece89018f8e51dcdb25431bef4142f642a506f93\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u00225234289420e6776a17bc2d2e029b5e8f0af33b10\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 208, \u0022payload_entropy\u0022: 5.2974228848006835, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 65, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224e414ddea16cbf88e589f1081cd45e8da2cabc01\u0022, \u0022event_fingerprint\u0022: \u0022df942077a47d988f388b413319fce7d0da9ccbf7\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223ef775987e41dcc313d41d88786ef3b6\u0022, \u0022payload_hash\u0022: \u0022942a883535324bf50eef42845a15c92d\u0022, \u0022path_pattern_hash\u0022: \u0022a434f033cdfe1c6228665bc262140ac0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/credentials.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 F\u0022, \u0022event_signature\u0022: \u0022c29dcd793be9d9d3685bdc8b0e455a6e19564200\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":208},{"id":8257420,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43784,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/keys.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u00228a6a7f08cefdf85fe174473d0bd54d3fe03d7d1e\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u00222c78d8f697f91556ab9c3211aab7056a4da36806\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 240, \u0022payload_entropy\u0022: 5.334951864479311, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4585ad4a01e1f7d40f7b5b188e05175b4c7b737\u0022, \u0022event_fingerprint\u0022: \u002271145f426fc0f361dda75cf4dfbca94a125ef42d\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022127287691cb13de540eb79e4ef04b540\u0022, \u0022payload_hash\u0022: \u00223a66a3cf2627fc8d91bea1d62cea7140\u0022, \u0022path_pattern_hash\u0022: \u0022bd83815abdfb4c4901e183b4e20e5597\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/keys.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (en-us) AppleWebKit\/525.13 (KHTML, like Gecko; Go\u0022, \u0022event_signature\u0022: \u0022b5c88364e3eead3903b75741e6ca1da915ddf544\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (en-us) AppleWebKit\/525.13 (KHTML, like Gecko; Google Web Preview) Version\/3.1 Safari\/525.13","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":240},{"id":8257421,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43786,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/application.properties","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022properties\u0022, \u0022http_ua_hash\u0022: \u002223f7e3d5921dcf4ac38a5d5c0c3224413c749e02\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u002219466bed7c4f7605a6c5066001d33e4cf1ce8497\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 259, \u0022payload_entropy\u0022: 5.378691663952425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4585ad4a01e1f7d40f7b5b188e05175b4c7b737\u0022, \u0022event_fingerprint\u0022: \u0022a8c8f7a4effa20b38d568a80c6c46891acc5c20e\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002211ec8df53c101ab988aff63fcdce1483\u0022, \u0022payload_hash\u0022: \u00225a249ff008e1f2cc1d867c5fc5b5e412\u0022, \u0022path_pattern_hash\u0022: \u00224e42f78bea2104e7cf7ee364ae009f68\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/application.properties HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\u0022, \u0022event_signature\u0022: \u0022b9889252eed8e893cc6f2c7bc96b458519928b82\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":259},{"id":8257422,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43802,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/application.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u002209a4b3e3917fbeeac28c7a1a64a80cf7ec659ff3\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u002221bd12a36544d7656ab5efe66271236b69b5a1f6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 211, \u0022payload_entropy\u0022: 5.296951495345175, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4585ad4a01e1f7d40f7b5b188e05175b4c7b737\u0022, \u0022event_fingerprint\u0022: \u0022086f217996bb0c8febbb72d73dd0caa98ea6edcd\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022bd63bc1a2a5969253f7255ca4aa2418e\u0022, \u0022payload_hash\u0022: \u002291258c5968d8d116ee64642299cd2fcf\u0022, \u0022path_pattern_hash\u0022: \u0022483067fc8f328a203e484adab257e7db\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/application.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en\u0022, \u0022event_signature\u0022: \u0022566089eac2db3d6b3f1cc4b79ee85ca3e5ca37b9\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Presto\/2.2.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":211},{"id":8257423,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43796,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/parameters.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022d7c60473ca507d0f267a16bb2c90d1bcbbc70259\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022e985a74d9ec6187d476021931d698376d834a9cf\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 282, \u0022payload_entropy\u0022: 5.445151545378967, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4585ad4a01e1f7d40f7b5b188e05175b4c7b737\u0022, \u0022event_fingerprint\u0022: \u0022532daf3caf448cc1fd132dc63396265fe2e0a211\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221104c74dd435280ff2b2099a808bc6c8\u0022, \u0022payload_hash\u0022: \u0022df7dd1bb172c2759bdc35930779db667\u0022, \u0022path_pattern_hash\u0022: \u0022ffe159f5ae172e27508531699989483b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/parameters.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II\u0022, \u0022event_signature\u0022: \u002286ddca0c793137f6ab2fecf95e2c0df0c7660b38\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":282},{"id":8257424,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43812,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/parameters.yaml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yaml\u0022, \u0022http_ua_hash\u0022: \u0022c7d382811638f4530327a18b063603e4f53ec036\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u002248ec704c337209e5e30476493203a595020a29cc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 256, \u0022payload_entropy\u0022: 5.448494423194764, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4585ad4a01e1f7d40f7b5b188e05175b4c7b737\u0022, \u0022event_fingerprint\u0022: \u002287f3941f13babc48ca8c79ad5dad33db2f07ad07\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022fee6c8055d0d2c6625ca6b9295cc7ad2\u0022, \u0022payload_hash\u0022: \u00223d15af5b750905a9c296346b4331ea2e\u0022, \u0022path_pattern_hash\u0022: \u002281aa704862a049efd37a741ef24b3dd7\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/parameters.yaml HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5\u0022, \u0022event_signature\u0022: \u002282bf0b0525374230fb02f23cb7eb1bd1498ff514\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.87 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":256},{"id":8257425,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43828,"dst_port":2379,"service":"http","classification":"nosql_injection","waf_score":12,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/app.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u0022c03cd37d2081e146d7646ffe1fd3b288c7377f5e\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u00224d388b5973ca832ef2abea7dc7b3d1d0491429b6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 237, \u0022payload_entropy\u0022: 5.375929526326235, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 56.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 56.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a7f4cfe584f8d8ab55a384f5bb5e07a46b54d862\u0022, \u0022event_fingerprint\u0022: \u0022c9ff081ab19dd3f5e6200f6c37f10070054511a9\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a84cf2cbdd36ed3842484f0a6bc7e340\u0022, \u0022payload_hash\u0022: \u0022ec30aa0d8e6d077d3beb331a473aa3df\u0022, \u0022path_pattern_hash\u0022: \u00221bde6fec443f458560d30e82dbf9f869\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/app.php HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like G\u0022, \u0022event_signature\u0022: \u002270a6d366403338e938b8d5eb14f4f122b0a6c62b\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":8,"bytes_in":237},{"id":8257427,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43844,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/mail.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u0022e23a3034c7f4b27b852b015a2ef8ad939893d753\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022a3c407d6a87f65745e0ab4f00693213892a25d7c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 268, \u0022payload_entropy\u0022: 5.39028709677591, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4585ad4a01e1f7d40f7b5b188e05175b4c7b737\u0022, \u0022event_fingerprint\u0022: \u002258163cc68cd0770db345fbfd6739db34674367de\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022bb04918531888fa47be5e7b2ef0880b6\u0022, \u0022payload_hash\u0022: \u0022ce8f0e91544598b5d5767e2a952fbc5b\u0022, \u0022path_pattern_hash\u0022: \u00229f9ddcc3b2a6db2bc31eefdcce505d28\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/mail.php HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebK\u0022, \u0022event_signature\u0022: \u002201b99b0f6e45280f9fc8ba21a9469e2bd04d5afc\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.1.0; Moto G (5S) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":268},{"id":8257428,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43848,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/services.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225389e2d1a31c2c8e99f813da81ad753659927975\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u00223ca2bec84ec8ba69efd80baa52ae496391a16c98\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.414330044438206, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4585ad4a01e1f7d40f7b5b188e05175b4c7b737\u0022, \u0022event_fingerprint\u0022: \u00223fee761bf69537f71c81049485789c24d1608c59\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e016ae64e78f7fed83a4aeb46b2d8f00\u0022, \u0022payload_hash\u0022: \u00228220ec9e47cf45438ddd447c40cc2e0b\u0022, \u0022path_pattern_hash\u0022: \u00221a4e64bcf01550beeb5ff11653df0118\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/services.php HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A505F) AppleWebKit\/537.3\u0022, \u0022event_signature\u0022: \u0022794bac0ec786e931f1e65ed00afb548d2933d579\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; SM-A505F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":260},{"id":8257429,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43864,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/services\/config.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u002296499075caf3d0bc3257071f334c083bf9bf18c0\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022849650fda3ca7d8e7fb5a869d1e03c4ddb7e054b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.4083869783488625, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022575546b282c91b63ba6446b4115b9b715c47d8f3\u0022, \u0022event_fingerprint\u0022: \u0022c7052c6cdaae5aed1cee1c458f323adef241ee24\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221d7f306fec8907b288ece302d7101675\u0022, \u0022payload_hash\u0022: \u0022b466df3d74d40d765728331a8f131d8a\u0022, \u0022path_pattern_hash\u0022: \u00221c9a0086526de918aaad2c3c4d637227\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/services\/config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebK\u0022, \u0022event_signature\u0022: \u0022ae821bd7aac7b783bb1b147630de1a9d9b68d98c\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":260},{"id":8257430,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43866,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/services\/config.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022076cd404655c77a72ab549fc271210fbf04b931e\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u00222d88915b17a3e9417f411d093261d57afedac11a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 210, \u0022payload_entropy\u0022: 5.335133611840663, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e61efc62d01535c4e6fbe8454e919a2b486de4a7\u0022, \u0022event_fingerprint\u0022: \u002251dc69b085b3b6b1445dc3f369adf2916750d207\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00224aa6de138ae8c5c2aa4cd5222c0dccdb\u0022, \u0022payload_hash\u0022: \u002245b7d5f3a7a101a4cb955c4ef42bd485\u0022, \u0022path_pattern_hash\u0022: \u0022c77847d5436776141786847bba665ee6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/services\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; SunOS) KHTML\/3.5.1\u0022, \u0022event_signature\u0022: \u0022c583b5087262a76278a8d3f2015f2914827d1b65\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (compatible; Konqueror\/3.5; SunOS) KHTML\/3.5.1 (like Gecko)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":210},{"id":8257431,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43876,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/config\/cache.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00227e735b708fe4e47b088f154f9ebca1d255399009\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u00229692de7bdad9583db6331e50d4b9dacf18ddb2e0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 271, \u0022payload_entropy\u0022: 5.423315114389343, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4585ad4a01e1f7d40f7b5b188e05175b4c7b737\u0022, \u0022event_fingerprint\u0022: \u0022e78336b002432d28a721a66ac444fbaa91eca930\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002254911114cfc55ddc677d3d95cb560aa6\u0022, \u0022payload_hash\u0022: \u00225913481463003187daf257cef2dc656d\u0022, \u0022path_pattern_hash\u0022: \u0022875d6aa330eaf796664c4387fbf0c3b1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/config\/cache.php HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022event_signature\u0022: \u0022b97051563afea3b55dc552657fb94380d8879d05\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/33.0.1750.152 Chrome\/33.0.1750.152 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_config\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":271},{"id":8257432,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43880,"dst_port":2379,"service":"http","classification":"ssrf_attack","waf_score":18,"waf_tags":"[\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/services\/database.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u002289dd5d41d3d9d67804fa452fc26e0d1854f91e2f\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022f7bb9e40fee8cec674637bbf331e53a5b8590736\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 188, \u0022payload_entropy\u0022: 5.0983900684930585, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 80.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 80.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 58, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c76ffd3a2ca05331493b0d2c89ff28cd79ab30a9\u0022, \u0022event_fingerprint\u0022: \u0022a2e4e0b72188b49598c6d9b5d2fa9ee6de2619c7\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228f1e26574192b3d2adfdd413095e2a21\u0022, \u0022payload_hash\u0022: \u0022a364a0332406b02f3ee768cfad5b3ad3\u0022, \u0022path_pattern_hash\u0022: \u002295fb64daae7070423a309432871be5ab\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022ssrf_probe\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/services\/database.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: msnbot\/0.11 ( http:\/\/search.msn.com\/msnbot.htm)\\r\\nAccept-\u0022, \u0022event_signature\u0022: \u0022b5f6ff6e2298827096bf82409469ab008f0830d3\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"msnbot\/0.11 ( http:\/\/search.msn.com\/msnbot.htm)","http_referer":null,"tags":"[\u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":188},{"id":8257433,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43902,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/services\/application.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u0022e42dfe396cecc2f95ce9656f4afdef6a1db82c8a\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u002255b6d2ef8836af67e6f27bf09e5982be1b55ff6c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 245, \u0022payload_entropy\u0022: 5.395350294474496, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e61efc62d01535c4e6fbe8454e919a2b486de4a7\u0022, \u0022event_fingerprint\u0022: \u002298610538a469cd77153b3c619ee40b7ad0637f98\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228af73b7f8aafd20609016b2b3181f8bf\u0022, \u0022payload_hash\u0022: \u002246c76ff170356f7b2140e8003b871407\u0022, \u0022path_pattern_hash\u0022: \u0022427a79bd587af67e27894e14297375f5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.92, \u0022classification_confidence\u0022: 0.92, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/services\/application.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHT\u0022, \u0022event_signature\u0022: \u0022f27459b03ee6a01920671f83f563d4f67cbd55ee\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2166.2 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":245},{"id":8257434,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43886,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/services\/secrets.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u00228fcc658f794c6a3c52cc5f15368ff6f95e08a681\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022e5f28d9dabe348c75152a0d03b8af3948967c412\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 255, \u0022payload_entropy\u0022: 5.345473641156008, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002245ff211aa5857e1a50c6458c37bc675159e9108d\u0022, \u0022event_fingerprint\u0022: \u0022ed756dcaa77b14f00aa16d3860d79e8f0c121aa7\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b7e703a0bfad46dc961769f3170e5489\u0022, \u0022payload_hash\u0022: \u0022605185e0b4fede45cce05df4390d1f2b\u0022, \u0022path_pattern_hash\u0022: \u0022e5ca14018f208a625d89b1bb0ac742c9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/services\/secrets.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (webOS\/1.3; U; en-US) AppleWebKit\/525.27.1 (\u0022, \u0022event_signature\u0022: \u002291e9f52037b610d779417d9198c1c7e90a8aa046\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_k8s_probe\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (webOS\/1.3; U; en-US) AppleWebKit\/525.27.1 (KHTML, like Gecko) Version\/1.0 Safari\/525.27.1 Desktop\/1.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_k8s_probe\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":255},{"id":8257435,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43916,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/internal\/config.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u002255328443fdf6da5299f536f6a3e8463066f833e3\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u002237c197fe9359087d8eaa32bd64802e5cf10f3318\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 203, \u0022payload_entropy\u0022: 5.265094034639485, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228e952be296d45a13e9d810f744a3183c5377477b\u0022, \u0022event_fingerprint\u0022: \u0022e76b0cc24e16acc28b82837ce219ce4899d319cb\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228926c3bfdb2517e6c0105cbf629349e9\u0022, \u0022payload_hash\u0022: \u00221ddca3459a492123652ca2607dd12749\u0022, \u0022path_pattern_hash\u0022: \u0022d046288edb8a0675371a7426276833c2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/internal\/config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Triden\u0022, \u0022event_signature\u0022: \u0022a8b92cf33090af011319332fc568442e4778daa1\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_internal\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident\/5.0)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_internal\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":203},{"id":8257437,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43920,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/internal\/config.yml","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022yml\u0022, \u0022http_ua_hash\u0022: \u00225df36dfcd1878e0b9fef6617b52ce008010031c5\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u002284b99aee73556df7a4efeffa522f9587a983cdbf\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.420053341521816, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002283140abda99eef5082e5c191a653276612bcb3ca\u0022, \u0022event_fingerprint\u0022: \u0022a4b90b4ca094c1641ad188ae90a26289d58675fc\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022279451a1275a9e470716fb83584f9a9e\u0022, \u0022payload_hash\u0022: \u0022ec104ea2a5ae03a952beec1a35209f62\u0022, \u0022path_pattern_hash\u0022: \u00222e4a225629002cdfe7eaf4ad6aeee5e3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/internal\/config.yml HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.\u0022, \u0022event_signature\u0022: \u002278eae13eee534d6b250bb93d635cb1ac4b41cc64\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_internal\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3191.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_internal\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":252},{"id":8257438,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43948,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/internal\/credentials.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u0022c16eea07f61071e407845d78c910b23ef0878abc\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u002267a2d20eccea3e1476efbd10b6c219968bcd3d37\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.316995752641671, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002283140abda99eef5082e5c191a653276612bcb3ca\u0022, \u0022event_fingerprint\u0022: \u0022eb1b121c47d3ed16b128e0c23cb53b9416d10f0c\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e4f5b9f8ab10ccf743c9fface9d7e507\u0022, \u0022payload_hash\u0022: \u00222a44302c60a928be83a5b6e953967343\u0022, \u0022path_pattern_hash\u0022: \u0022a92d8e41a7082a2d86555abaec1a1134\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/internal\/credentials.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (X11; NetBSD amd64; rv:30.0) Gecko\/20100\u0022, \u0022event_signature\u0022: \u002276866a847cb8185bb3a5b7710da9341074d6c469\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_internal\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (X11; NetBSD amd64; rv:30.0) Gecko\/20100101 Firefox\/30.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_internal\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":213},{"id":8257439,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43936,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/internal\/secrets.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u0022f8a238d8e07e035567a350f98653611abdb4c5aa\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022e7406b4d8f1796ab257c40ae6f6c0b897e45a189\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 217, \u0022payload_entropy\u0022: 5.328894933107258, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229804115aa1d2f85c7058998f717197f43af72b34\u0022, \u0022event_fingerprint\u0022: \u00224b7c26f7857fa21522bc3065afd7b2ac1418a135\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002204e170b80efa0d73e0e27727b0e87f21\u0022, \u0022payload_hash\u0022: \u0022472728aafcee2a6d6259627798fd2444\u0022, \u0022path_pattern_hash\u0022: \u0022d62c78f7ba64ca452bd03619c00c7af4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/internal\/secrets.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko\/2\u0022, \u0022event_signature\u0022: \u0022f10b77d35e73f34d34cb5c3cfd65e3756a5d3525\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_k8s_probe\u0022, \u0022http_probe_internal\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko\/20100101 Firefox\/35.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_k8s_probe\u0022, \u0022http_probe_internal\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":217},{"id":8257440,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43964,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/private\/config.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u0022fc4a269fbdd10d30d1815e1ec2628e6dfa45adfb\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u00229da8385e7491d9f52a230e3a1c8c565aba119417\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 308, \u0022payload_entropy\u0022: 5.524994267097902, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022785150c8f6b69cf8d83fa2cd5bdecf0cc48f00c2\u0022, \u0022event_fingerprint\u0022: \u0022f5615dec6689664d95a88e878ef865d6e34176a0\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222033f96c32f9e7a32c72a9f0be492fee\u0022, \u0022payload_hash\u0022: \u0022fc35dd69ce3ba70cbd842d37180f8457\u0022, \u0022path_pattern_hash\u0022: \u0022a8e2e774a183bdb09e7d488718c8d6ab\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/private\/config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1\u0022, \u0022event_signature\u0022: \u00222c2f76427521460fd08a345c7d4697be4a074c48\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_private\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_private\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":308},{"id":8257441,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43966,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/private\/secrets.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u0022d339eaacdd813eb9cf1c4e97668227b50c9b0706\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u00221a592bf2c5d0fa0649bfef76bf43dc28f3f43a27\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.427000756964419, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f0e0f6c3013f2a5b711e1bc85b5292c25679c9a4\u0022, \u0022event_fingerprint\u0022: \u002269ad8aa9594bcae2ae4a15d1cb8e442c6d39e792\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00224de7c8accc397a2534f015ff8071e5df\u0022, \u0022payload_hash\u0022: \u0022f2ad45d610fac6eed53343ef0d1d99f6\u0022, \u0022path_pattern_hash\u0022: \u002228bdca9eb7d8c2f1408ad5c40bac8497\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/private\/secrets.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.\u0022, \u0022event_signature\u0022: \u0022dac7047843b49c3a371516abba5cbdff54ea45df\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_k8s_probe\u0022, \u0022http_probe_private\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_k8s_probe\u0022, \u0022http_probe_private\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":261},{"id":8257442,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43976,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/private\/credentials.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u002248e4ba6e2311cc3b680df34feac8abe9c1f79a12\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022f5b98432b4ea101afd265888d823143de70b6fa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 264, \u0022payload_entropy\u0022: 5.43040713528223, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4061a1f45abe347e0e951e22868bf6c545bce28\u0022, \u0022event_fingerprint\u0022: \u00223a037ce29687dfde8a1f2dc4d8c4ff30ab2e7d54\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002215923ad48d9322c295676239fbf81afc\u0022, \u0022payload_hash\u0022: \u0022e643a9fc97d5ee6befc6bedfc27f73b6\u0022, \u0022path_pattern_hash\u0022: \u0022b18c0d27f50ba8fd3156a9c7a907fc4a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/private\/credentials.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/5\u0022, \u0022event_signature\u0022: \u00226cd2b4e1b097c9efa68a322145eff77dcb971269\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_private\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_private\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":264},{"id":8257443,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43980,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/deploy\/config.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u00222107ee483b37620cd27469a83622677f75ba74e7\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022587e02f3a200b756d82c89e452c9f9e918723ae0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 282, \u0022payload_entropy\u0022: 5.396371698919115, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022575546b282c91b63ba6446b4115b9b715c47d8f3\u0022, \u0022event_fingerprint\u0022: \u00229f92bd199d444d4c15d87b0abfa93f85c7635cae\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222d025fe5ac87515830071c9b47a68c3e\u0022, \u0022payload_hash\u0022: \u002245ea57f05932840106dac63c133ae686\u0022, \u0022path_pattern_hash\u0022: \u002295089f1ddd4262d3d914f991599d5080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/deploy\/config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-ch; HTC Sensation \u0022, \u0022event_signature\u0022: \u0022bb7c52a96889ee386afe744bad7be2e3177a92b4\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 4.0.3; de-ch; HTC Sensation Build\/IML74K) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":9,"bytes_in":282},{"id":8257444,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43982,"dst_port":2379,"service":"http","classification":"sqli_attack","waf_score":26,"waf_tags":"[\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/deploy\/secrets.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u002201b8503a288ae2987e234beb5de51ea6d3ea9511\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u002260385d96f8574ab4bcb6af1ba09ecde50592baec\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 308, \u0022payload_entropy\u0022: 5.4391636091091415, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 82.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bfbba6c64bc0708759b2f75087bc892c38e68e49\u0022, \u0022event_fingerprint\u0022: \u0022b6d5d26aba9e94262cd75923d059671fe058f78d\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223685139e481218d05f92f3c4fab0bb5e\u0022, \u0022payload_hash\u0022: \u0022f4d86ee0a232b980902227a7291e570a\u0022, \u0022path_pattern_hash\u0022: \u0022be3edf5651a95f93a63bb6eed77eea15\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/deploy\/secrets.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) A\u0022, \u0022event_signature\u0022: \u00221c77ce448515c989c640cffee75c710f530d7601\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_k8s_probe\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/en","http_referer":null,"tags":"[\u0022950086:sqli-21\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_k8s_probe\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":308},{"id":8257445,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43996,"dst_port":2379,"service":"http","classification":"lfi_attack","waf_score":27,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/v2\/config.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u002296b49e406c596f130017a1a27443df1d36fc0003\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022504546e13c6c46b821dc777793aed750fb706b7d\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.377311723845375, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 65, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022873fb93ec7d529a44c06143dc738a9c6064c24d0\u0022, \u0022event_fingerprint\u0022: \u0022fb60dacc33a544645420cd2751c30e87419b9d4f\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00227a2d9889bcdfe826b39fb76b7851f88e\u0022, \u0022payload_hash\u0022: \u002248eeea056ac16dabfd127bab020e207c\u0022, \u0022path_pattern_hash\u0022: \u002200362549a7b517b90a1400deaafa2985\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/v2\/config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic\u0022, \u0022event_signature\u0022: \u0022a85f92fb5186981e96ebd24e02b7c6fe25c84002\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML\/4.4.3 (like Gecko) Kubuntu","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":243},{"id":8257446,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":43994,"dst_port":2379,"service":"http","classification":"lfi_attack","waf_score":27,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/v1\/config.json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u00229dcf0dcbcf5df6da4ef99795e25554e7a07cb6a7\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022e1865ad3140924e10c86b3b0491226fecbd86d31\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 249, \u0022payload_entropy\u0022: 5.4409574159677465, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 65, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022873fb93ec7d529a44c06143dc738a9c6064c24d0\u0022, \u0022event_fingerprint\u0022: \u00221d344fd4869e790bbc3bc72ab3e5788d4769f899\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d08a9b47bbcb5b2974125d95dd9b7799\u0022, \u0022payload_hash\u0022: \u002244c6311e7f964dde745f04d6ec061353\u0022, \u0022path_pattern_hash\u0022: \u00224172adffd8adf564d7794f5ddcfe5fac\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/v1\/config.json HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K\u0022, \u0022event_signature\u0022: \u00226b5e2b28861b3ad35e4130154e7888d8e56199b5\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.119 Safari\/537.36","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":249},{"id":8257447,"ip":"35.221.148.26","ts":"2026-06-04 19:06:47.000000","proto":"tcp","src_port":44010,"dst_port":2379,"service":"http","classification":"rce_attack","waf_score":21,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950518:leak-5\u0022]","http_method":"GET","http_target":"\/wp-config.php~","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022php~\u0022, \u0022http_ua_hash\u0022: \u00220fc09560e7cefb24fc2c36d478eb96a34ea61796\u0022, \u0022http_host_hash\u0022: \u00225d6a0f825efad99b3fccf17c8b6d0547385a0b8b\u0022, \u0022http_target_hash\u0022: \u0022863c7f3ef890e19c474d54faa2637f21aa61f24b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 229, \u0022payload_entropy\u0022: 5.326061906096364, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 2379, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 88.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 88.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f357c10ce8c0109f58aee8863efb7c9a79ca7db3\u0022, \u0022event_fingerprint\u0022: \u0022af09d7623b94d0f04a3eac778f8fbcd3f9077214\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220765d363a2f4e17ed6662441ebe726a5\u0022, \u0022payload_hash\u0022: \u0022c0b19634e3fac684a48562a98008406f\u0022, \u0022path_pattern_hash\u0022: \u002201859822ace956c1e8cfef788e43bcce\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2379, \u0022service\u0022: \u0022http\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022rce_probe\u0022], \u0022confidence\u0022: 0.98, \u0022classification_confidence\u0022: 0.98, \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022payload_preview\u0022: \u0022GET \/wp-config.php~ HTTP\/1.1\\r\\nHost: 62.3.50.33:2379\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.1\u0022, \u0022event_signature\u0022: \u00223f48e258e161d00d8cb31eda9f276acc6d56d946\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950518:leak-5\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2379","http_user_agent":"Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko\/20110303 Firefox\/3.6.15","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950518:leak-5\u0022, \u0022http_backup_file_scan\u0022, \u0022http_sensitive_path\u0022, \u0022net_flood\u0022]","anomalies":"[]","severity":10,"bytes_in":229}],"total_events":766}