{"ip":"35.233.77.25","exported_at":"2026-06-16T20:32:27+00:00","period_days":30,"metrics":{"events7d":60,"distinct_ports":1,"distinct_classifications":7,"max_severity":7,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":49,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["unknown"],"recommended_action":"monitor","confidence":0.95,"risk_breakdown":{"waf":8,"classification":78,"behavior":0,"geo":40,"protocol":36,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"T1110","top_mitre_technique":"T1110","top_mitre_count":42,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 48\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":78,"behavior":0,"geo":40,"protocol":36,"novelty":15,"risk_score":48},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["rafale_auth"],"correlation_flags_labels_fr":["Rafale auth"],"confidence_pct":95,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["Bruteforce SSH"],"tags_summary":["INT-ssh-brute"],"attack_vector":"Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830","port":22,"service":"ssh","service_label_fr":"SSH"},"protocol_summary_fr":"Payload OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830 \u00b7 SSH:22","evidence_snippet":"OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830","target_port_label":"22 \u00b7 SSH","emulator_service":"ssh","confidence_reason":"Confiance 95 % \u2014 3 signal(aux) capteur","classification_reason":"Rafale d\u0027authentification SSH \u00b7 confiance 95%","classification_reason_label_fr":"Rafale d\u0027authentification SSH \u00b7 confiance 95%","confidence_factors_fr":"Confiance 95 % \u2014 Score WAF 8","payload_preview":"OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 8830"},"events":[{"id":9338651,"ip":"35.233.77.25","ts":"2026-06-16 05:06:24.000000","proto":"tcp","src_port":3114,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a7126521109c1987b3394ab50203f58d5e0666d\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022481e7c9d48f087e9179390f97c4362a8599a741d\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 25, \u0022ssh_auth_burst_rate\u0022: 1.92}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":9338660,"ip":"35.233.77.25","ts":"2026-06-16 05:06:24.000000","proto":"tcp","src_port":3090,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 3.584962500721156, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b2993d6e4414a846683a71de5eb18653\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022@RSYTCD: 29\\n\u0022, \u0022request_sample\u0022: \u0022@RSYTCD: 29\\n\u0022, \u0022payload_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022@RSYTCD: 29\\n\u0022, \u0022payload_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022688ac31b5cccb45d898542916e35709bba611706\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022@RSYTCD: 29\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022@RSYTCD: 29\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 40, \u0022ssh_auth_burst_rate\u0022: 3.07, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":12},{"id":9338661,"ip":"35.233.77.25","ts":"2026-06-16 05:06:24.000000","proto":"tcp","src_port":3102,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 238, \u0022payload_entropy\u0022: 5.113383338217833, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0520\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Oracle TNS connect\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0520\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223ec3472553fccfc5460ce0aa0edb3bd2\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022request_sample\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=22)))\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=22)))\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221246a073ff78ce2d8c3496f0df527f87975caadd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u003C,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u003C,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 41, \u0022ssh_auth_burst_rate\u0022: 3.15}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":238},{"id":9338662,"ip":"35.233.77.25","ts":"2026-06-16 05:06:24.000000","proto":"tcp","src_port":3108,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 4.139167728978457, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d36879333240626a18617a50ed2c7dee2f54393\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002294e606a42613d0ef095b8001a98bf6ed\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dff62050a720ccbe26a1a7aa16a0f946ee4180be\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 42, \u0022ssh_auth_burst_rate\u0022: 3.23}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":84},{"id":9338663,"ip":"35.233.77.25","ts":"2026-06-16 05:06:24.000000","proto":"tcp","src_port":3112,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 51, \u0022payload_entropy\u0022: 4.774887351563313, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cf7f9a111f4b869f284e874d67be1f5e\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 8830\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 8830\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 8830\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 8830\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 8830\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c3bd6976fe6d81871bd23d31b29af971a6d6442f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 8830\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 8830\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 8830\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 8830\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 43, \u0022ssh_auth_burst_rate\u0022: 3.31}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":51},{"id":9338652,"ip":"35.233.77.25","ts":"2026-06-16 05:06:23.000000","proto":"tcp","src_port":3012,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.9235205817738175, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d23b5ed00a4e814f350523d032a1394122d39cb7\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222a177602bee0d039f41fbd6da5240e04\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e876fa09a770fdbdbcbee593cc5e2e22f1136a9e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(r\ufffd\ufffd\ufffd\ufffd|\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(r\ufffd\ufffd\ufffd\ufffd|\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 26, \u0022ssh_auth_burst_rate\u0022: 2.16}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":44},{"id":9338653,"ip":"35.233.77.25","ts":"2026-06-16 05:06:23.000000","proto":"tcp","src_port":3028,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 106, \u0022payload_entropy\u0022: 1.562219115128654, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c410cf23b3d85ec98026baf9f8231d24\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d422539d9eae3410f418d7d4e23510bf8e6c8e72\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022f\ufffdSMB@$333333333333337\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022f\ufffdSMB@$333333333333337\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 27, \u0022ssh_auth_burst_rate\u0022: 2.25}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":106},{"id":9338654,"ip":"35.233.77.25","ts":"2026-06-16 05:06:23.000000","proto":"tcp","src_port":3038,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 2.125814583693911, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e9fd5030e26d1c231036f4ff830a90da\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022r\u003E\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022request_sample\u0022: \u0022r\u003E\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022r\u003E\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022r\u003E\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022r\u003E\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220eccae8d7e2e4f67d3404bcef7b017055f007a2f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022r\u003E\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022r\u003E\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022r\u003E\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022r\u003E\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 28, \u0022ssh_auth_burst_rate\u0022: 2.33}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":12},{"id":9338655,"ip":"35.233.77.25","ts":"2026-06-16 05:06:23.000000","proto":"tcp","src_port":3052,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 3.128085278891395, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0414\u0022], \u0022matched_pattern_names\u0022: [\u0022Redis PING RESP\u0022], \u0022pattern_ids\u0022: [\u0022pat-0414\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a43cb6a3b9d261112714d00e36b33106\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d4d2aa8f4088fee9ca985dd7ecfcc5b9fc3cffa8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 29, \u0022ssh_auth_burst_rate\u0022: 2.41}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":14},{"id":9338656,"ip":"35.233.77.25","ts":"2026-06-16 05:06:23.000000","proto":"tcp","src_port":3054,"dst_port":22,"service":"ssh","classification":"mqtt_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 3.281373409411991, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b1802f6f71a11621266cff4649898a3490ca5795\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 110, \u0022precision_signals\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022matched_patterns\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MQTT protocol\u0022, \u0022MQTT alt CONNECT\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022146feb4208f989935534a353df60ec62\u0022, \u0022path_pattern_hash\u0022: \u00224449b927317468afa12a2f935a413459\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022request_sample\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b037cb5b32edc22d86c89afe5cb4c84b5d698274\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 30, \u0022ssh_auth_burst_rate\u0022: 2.5}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":19},{"id":9338657,"ip":"35.233.77.25","ts":"2026-06-16 05:06:23.000000","proto":"tcp","src_port":3058,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 3.6644977792004623, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d7cf99dd7541d7bd514fc0d9a1b2d531\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022JDWP-Handshake\u0022, \u0022request_sample\u0022: \u0022JDWP-Handshake\u0022, \u0022payload_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022JDWP-Handshake\u0022, \u0022payload_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022edab5da1d572e96dec38495ef77723da65c2edc8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JDWP-Handshake\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JDWP-Handshake\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 32, \u0022ssh_auth_burst_rate\u0022: 2.66}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":14},{"id":9338658,"ip":"35.233.77.25","ts":"2026-06-16 05:06:23.000000","proto":"tcp","src_port":3068,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 7, \u0022payload_entropy\u0022: 2.807354922057604, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0604\u0022], \u0022matched_pattern_names\u0022: [\u0022Java RMI JRMI\u0022], \u0022pattern_ids\u0022: [\u0022pat-0604\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d8c49a0f759e2102fb8fa8368049d06a\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002225c057bdc097d97004a01c34d3bb59bfa4a90986\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 38, \u0022ssh_auth_burst_rate\u0022: 3.16}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":7},{"id":9338659,"ip":"35.233.77.25","ts":"2026-06-16 05:06:23.000000","proto":"tcp","src_port":3080,"dst_port":22,"service":"ssh","classification":"mqtt_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 20, \u0022payload_entropy\u0022: 3.1414460711655217, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b1802f6f71a11621266cff4649898a3490ca5795\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 110, \u0022precision_signals\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022matched_patterns\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MQTT protocol\u0022, \u0022MQTT alt CONNECT\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228cbaa0e25147458ba5f5f0e8603c4f19\u0022, \u0022path_pattern_hash\u0022: \u00224449b927317468afa12a2f935a413459\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022request_sample\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022091bb425d2449cc5524179b89f1cfac2157d0511\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 39, \u0022ssh_auth_burst_rate\u0022: 3.25}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":20},{"id":9338646,"ip":"35.233.77.25","ts":"2026-06-16 05:06:20.000000","proto":"tcp","src_port":19628,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 71, \u0022payload_entropy\u0022: 4.83906190787142, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0556\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022Kafka ApiVersions key\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0556\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d9bcc621186ef441cc445f2b3dbd5f10\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229a321f0f92229c154128e8e36ccded2ae3db9c21\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 19, \u0022ssh_auth_burst_rate\u0022: 1.46}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":71},{"id":9338647,"ip":"35.233.77.25","ts":"2026-06-16 05:06:20.000000","proto":"tcp","src_port":19640,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 39, \u0022payload_entropy\u0022: 4.085180800729588, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d36879333240626a18617a50ed2c7dee2f54393\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222cdc1c85ed90a71a47d0101ae55ce264\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006OmjXoi\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006OmjXoi\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006OmjXoi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006OmjXoi\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006OmjXoi\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220e084588a1fba4d3d51905ae0ccd2b323edba11b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006OmjXoi\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022#3\ufffd\\radminclient-5OmjXoi\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006OmjXoi\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022#3\ufffd\\radminclient-5OmjXoi\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 20, \u0022ssh_auth_burst_rate\u0022: 1.54}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":39},{"id":9338641,"ip":"35.233.77.25","ts":"2026-06-16 05:06:17.000000","proto":"tcp","src_port":19604,"dst_port":22,"service":"ssh","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 88, \u0022payload_entropy\u0022: 4.354527413223707, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d12fee1305c771eccf9b4dc94584e2f37a781e8d\u0022, \u0022event_fingerprint\u0022: \u0022e2fecb7fa672c436270a1a3ab197ed5a9894cbda\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220efe38694fbb4cc2af819186b5e9ae9e\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022786b729d8b2076c38ec8c0ed0719c0dd6803f8ba\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022X%\u0026\u0027+,$\ufffd\\t\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\u066a\u003CK\ufffd{\ufffd\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022X%\u0026\u0027+,$\ufffd\\t\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\u066a\u003CK\ufffd{\ufffd\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_tds\u0022, \u0022net_bruteforce\u0022, \u0022net_mssql_tds\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 14, \u0022ssh_auth_burst_rate\u0022: 1.08}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_tds\u0022, \u0022net_bruteforce\u0022, \u0022net_mssql_tds\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":88},{"id":9338642,"ip":"35.233.77.25","ts":"2026-06-16 05:06:17.000000","proto":"tcp","src_port":19620,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 4.707321121424567, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c59a677b2073867969ee46536f796999\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u00220:\\u0002\\u0004f\ufffd\\u0003\\u000f`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qiksnrhfyegsacbprmcn\ufffd\\u0014qiksnrhfyegsacbprmcn\u0022, \u0022request_sample\u0022: \u00220:\\u0002\\u0004f\ufffd\\u0003\\u000f`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qiksnrhfyegsacbprmcn\ufffd\\u0014qiksnrhfyegsacbprmcn\u0022, \u0022payload_snippet\u0022: \u00220:\\u0002\\u0004f\ufffd\\u0003\\u000f`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qiksnrhfyegsacbprmcn\ufffd\\u0014qiksnrhfyegsacbprmcn\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u00220:\\u0002\\u0004f\ufffd\\u0003\\u000f`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qiksnrhfyegsacbprmcn\ufffd\\u0014qiksnrhfyegsacbprmcn\u0022, \u0022payload_snippet\u0022: \u00220:\\u0002\\u0004f\ufffd\\u0003\\u000f`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qiksnrhfyegsacbprmcn\ufffd\\u0014qiksnrhfyegsacbprmcn\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ed875f867270d43a72f6bf40d6533b8548862d21\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220:\\u0002\\u0004f\ufffd\\u0003\\u000f`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qiksnrhfyegsacbprmcn\ufffd\\u0014qiksnrhfyegsacbprmcn\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u00220:f\ufffd`2cn=qiksnrhfyegsacbprmcn\ufffdqiksnrhfyegsacbprmcn\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220:\\u0002\\u0004f\ufffd\\u0003\\u000f`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qiksnrhfyegsacbprmcn\ufffd\\u0014qiksnrhfyegsacbprmcn\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00220:f\ufffd`2cn=qiksnrhfyegsacbprmcn\ufffdqiksnrhfyegsacbprmcn\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 15, \u0022ssh_auth_burst_rate\u0022: 1.15}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":60},{"id":9338643,"ip":"35.233.77.25","ts":"2026-06-16 05:06:14.000000","proto":"tcp","src_port":19592,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a7126521109c1987b3394ab50203f58d5e0666d\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022481e7c9d48f087e9179390f97c4362a8599a741d\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 16, \u0022ssh_auth_burst_rate\u0022: 1.6}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":9338632,"ip":"35.233.77.25","ts":"2026-06-16 05:06:11.000000","proto":"tcp","src_port":15330,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.983740670882855, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228fc6ed97290d268f1fc6cf8588666a2736755a3f\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220003c8efa0acdc0c6540f4bdb920f6bc\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002294172eec75bd2e49c01514c1cb036ae3c10770b0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 11, \u0022ssh_auth_burst_rate\u0022: 0.85, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":19},{"id":9338637,"ip":"35.233.77.25","ts":"2026-06-16 05:06:11.000000","proto":"tcp","src_port":15344,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 16, \u0022payload_entropy\u0022: 3.327819531114783, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad32b372bf9a8e846b24a957491de4e3\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022Not a command \\r\\n\u0022, \u0022request_sample\u0022: \u0022Not a command \\r\\n\u0022, \u0022payload_snippet\u0022: \u0022Not a command\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022Not a command \\r\\n\u0022, \u0022payload_snippet\u0022: \u0022Not a command\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022250dbd8b8f86903d9c7611d3c1f2018db5027abe\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022Not a command\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022Not a command\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022Not a command\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022Not a command\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 13, \u0022ssh_auth_burst_rate\u0022: 1.0, \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":16},{"id":9338630,"ip":"35.233.77.25","ts":"2026-06-16 05:06:07.000000","proto":"tcp","src_port":15312,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 32, \u0022payload_entropy\u0022: 3.4681390622295662, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228fc6ed97290d268f1fc6cf8588666a2736755a3f\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002263dee8e3b119d818a847299a1d9cf38b\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0000\\u001e\\u001a\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u001e\\u001a\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u001e\\u001a\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u001e\\u001a\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u001e\\u001a\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228d0b7579ac9aef950bb8bcf396cceb16c3a74af0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u001e\\u001a\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdversionbind\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u001e\\u001a\ufffd\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdversionbind\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 14, \u0022ssh_auth_burst_rate\u0022: 0.93}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":32},{"id":9338631,"ip":"35.233.77.25","ts":"2026-06-16 05:06:07.000000","proto":"tcp","src_port":15322,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222c52b1f7aa472ff9e6b5ad5aa646dee43fa9d21b\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227be0d89ee20e8cc370e1cc8a6f3697991db52ea5\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 10, \u0022ssh_auth_burst_rate\u0022: 1.11}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":9338629,"ip":"35.233.77.25","ts":"2026-06-16 05:06:04.000000","proto":"tcp","src_port":15286,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a7126521109c1987b3394ab50203f58d5e0666d\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022481e7c9d48f087e9179390f97c4362a8599a741d\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 13, \u0022ssh_auth_burst_rate\u0022: 1.08}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":9338626,"ip":"35.233.77.25","ts":"2026-06-16 05:05:58.000000","proto":"tcp","src_port":48196,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a7126521109c1987b3394ab50203f58d5e0666d\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022481e7c9d48f087e9179390f97c4362a8599a741d\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 9, \u0022ssh_auth_burst_rate\u0022: 1.5, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":9338616,"ip":"35.233.77.25","ts":"2026-06-16 05:05:55.000000","proto":"tcp","src_port":48140,"dst_port":22,"service":"ssh","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1481, \u0022payload_entropy\u0022: 7.735521837381525, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 36.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221754ac7e847ceb385b4fff1ce5385dae1c9f46d8\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022310491ce764bbeea4c777fca99411ff6\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 40}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffdD\ufffd\ufffd\u07c2\ufffd\\u0015[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\\u0002\ufffd\ufffd\ufffd\\u0013\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\\u0010\\u0000\ufffd\/f\\u001e\ufffdr9\ufffdk3r\\u0016\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\\u001f\ufffd\ufffd\\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd#\ufffd\u0027\\u0000\u003C\ufffd\\u0007\ufffd\\u0011\\u0000\\u0005\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffdD\ufffd\ufffd\u07c2\ufffd\\u0015[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\\u0002\ufffd\ufffd\ufffd\\u0013\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\\u0010\\u0000\ufffd\/f\\u001e\ufffdr9\ufffdk3r\\u0016\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\\u001f\ufffd\ufffd\\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd#\ufffd\u0027\\u0000\u003C\ufffd\\u0007\ufffd\\u0011\\u0000\\u0005\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0005E\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\f\\u0000\\n\\u0011\ufffd\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0004\ufffd\\u0004\ufffd\\u0011\ufffd\\u0004\ufffdK!v\ufffdt\\f\ufffd\ufffd\u065bK|Yz?\ufffdw\ufffd\\u0018\\u00147|3m\\u0002~\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffdD\ufffd\ufffd\u07c2\ufffd\\u0015[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\\u0002\ufffd\ufffd\ufffd\\u0013\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\\u0010\\u0000\ufffd\/f\\u001e\ufffdr9\ufffdk3r\\u0016\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\\u001f\ufffd\ufffd\\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd#\ufffd\u0027\\u0000\u003C\ufffd\\u0007\ufffd\\u0011\\u0000\\u0005\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226a1e9eb65b46888582546c3cba50a9f6daa9a628\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffdD\ufffd\ufffd\u07c2\ufffd\\u0015[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\\u0002\ufffd\ufffd\ufffd\\u0013\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\\u0010\\u0000\ufffd\/f\\u001e\ufffdr9\ufffdk3r\\u0016\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\\u001f\ufffd\ufffd\\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd#\ufffd\u0027\\u0000\u003C\ufffd\\u0007\ufffd\\u0011\\u0000\\u0005\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdD\ufffd\ufffd\u07c2\ufffd[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\ufffd\/f\ufffdr9\ufffdk3r\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\ufffd\ufffd2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd#\ufffd\u0027\u003C\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0005\ufffd\\u0001\\u0000\\u0005\ufffd\\u0003\\u0003\ufffdD\ufffd\ufffd\u07c2\ufffd\\u0015[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\\u0002\ufffd\ufffd\ufffd\\u0013\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\\u0010\\u0000\ufffd\/f\\u001e\ufffdr9\ufffdk3r\\u0016\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\\u001f\ufffd\ufffd\\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd#\ufffd\u0027\\u0000\u003C\ufffd\\u0007\ufffd\\u0011\\u0000\\u0005\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdD\ufffd\ufffd\u07c2\ufffd[k[\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;,\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd 5\ufffd\ufffd\ufffd\ufffd\ufffd\/f\ufffdr9\ufffdk3r\ufffd\ufffd]]\ufffd\ufffdq\ufffdfV\ufffd\ufffd2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n\ufffd#\ufffd\u0027\u003C\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":6,"bytes_in":1481},{"id":9338617,"ip":"35.233.77.25","ts":"2026-06-16 05:05:55.000000","proto":"tcp","src_port":48152,"dst_port":22,"service":"ssh","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 121, \u0022payload_entropy\u0022: 3.1150230512705406, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bc2d1c20942b1079428048817a17e68d0d29c88a\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022de7aa004722a47b7532d77bd58324675\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022;\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0014\\u0000\\u0000\\u0000\\u0001hello\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u003E\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0017\\u0000\\u0000\\u0000\\u0001isMaster\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022;\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0014\\u0000\\u0000\\u0000\\u0001hello\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u003E\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0017\\u0000\\u0000\\u0000\\u0001isMaster\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022payload_snippet\u0022: \u0022;\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0014\\u0000\\u0000\\u0000\\u0001hello\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u003E\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0017\\u0000\\u0000\\u0000\\u0001isMaster\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a1120974c8726045927a4fd936a7f99911a4d656\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022;\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0014\\u0000\\u0000\\u0000\\u0001hello\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u003E\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0017\\u0000\\u0000\\u0000\\u0001isMaster\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022;\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdhello\ufffd?\u003E\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdisMaster\ufffd?\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022;\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0014\\u0000\\u0000\\u0000\\u0001hello\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u003E\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0017\\u0000\\u0000\\u0000\\u0001isMaster\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022;\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdhello\ufffd?\u003E\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdisMaster\ufffd?\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":121},{"id":9338618,"ip":"35.233.77.25","ts":"2026-06-16 05:05:55.000000","proto":"tcp","src_port":48154,"dst_port":22,"service":"ssh","classification":"port_22_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 187, \u0022payload_entropy\u0022: 5.383987673192649, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 46.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 46.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d7618832c0a2bdfa93a1dfe9da3c4b45bc1bbe62\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 46.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022ssh_probe\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c6d7adbc04645037c21feea1e5278a4f\u0022, \u0022path_pattern_hash\u0022: \u00224d94c79baddfcb6b1b3c2c5fdc6c79e1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f0f84ddad41e184f25737df608d861079e9b26fb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko\u0022, \u0022attack_vector\u0022: \u0022port 22 tcp \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 46.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022port 22 tcp \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":7,"bytes_in":187},{"id":9338619,"ip":"35.233.77.25","ts":"2026-06-16 05:05:55.000000","proto":"tcp","src_port":48168,"dst_port":22,"service":"ssh","classification":"port_22_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 64, \u0022payload_entropy\u0022: 5.84375, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ec742e1f26595cf120b330e5f862965c23dfeeb2\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022ssh_probe\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022890f2617cc5eb0c3c32d995c118416f1\u0022, \u0022path_pattern_hash\u0022: \u00224d94c79baddfcb6b1b3c2c5fdc6c79e1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\ufffd\ufffd\ufffd\ufffdYGl\\\u0022Z\ufffd\ufffdE\ufffd\\\\z\ufffd0\ufffdl\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\\u0000\u003E\\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\\f\ufffda\ufffd\ufffd\ufffd\ufffd\\u0004\\u0014~\\u0001\ufffdx\ufffd^:\\u0019\ufffd\\u0015\ufffd,8\u0022, \u0022request_sample\u0022: \u0022\ufffd\ufffd\ufffd\ufffdYGl\\\u0022Z\ufffd\ufffdE\ufffd\\\\z\ufffd0\ufffdl\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\\u0000\u003E\\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\\f\ufffda\ufffd\ufffd\ufffd\ufffd\\u0004\\u0014~\\u0001\ufffdx\ufffd^:\\u0019\ufffd\\u0015\ufffd,8\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdYGl\\\u0022Z\ufffd\ufffdE\ufffd\\\\z\ufffd0\ufffdl\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\\u0000\u003E\\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\\f\ufffda\ufffd\ufffd\ufffd\ufffd\\u0004\\u0014~\\u0001\ufffdx\ufffd^:\\u0019\ufffd\\u0015\ufffd,8\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\ufffd\ufffd\ufffdYGl\\\u0022Z\ufffd\ufffdE\ufffd\\\\z\ufffd0\ufffdl\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\\u0000\u003E\\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\\f\ufffda\ufffd\ufffd\ufffd\ufffd\\u0004\\u0014~\\u0001\ufffdx\ufffd^:\\u0019\ufffd\\u0015\ufffd,8\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdYGl\\\u0022Z\ufffd\ufffdE\ufffd\\\\z\ufffd0\ufffdl\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\\u0000\u003E\\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\\f\ufffda\ufffd\ufffd\ufffd\ufffd\\u0004\\u0014~\\u0001\ufffdx\ufffd^:\\u0019\ufffd\\u0015\ufffd,8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c16d52d7e3950a16cdd651e7c3a438587683959d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\ufffd\ufffd\ufffdYGl\\\u0022Z\ufffd\ufffdE\ufffd\\\\z\ufffd0\ufffdl\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\\u0000\u003E\\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\\f\ufffda\ufffd\ufffd\ufffd\ufffd\\u0004\\u0014~\\u0001\ufffdx\ufffd^:\\u0019\ufffd\\u0015\ufffd,8\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdYGl\\\u0022Z\ufffd\ufffdE\ufffd\\\\z\ufffd0\ufffdl\ufffd\u0027\ufffd\ufffd\ufffd\u003E\\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffda\ufffd\ufffd\ufffd\ufffd~\ufffdx\ufffd^:\ufffd\ufffd,8\u0022, \u0022attack_vector\u0022: \u0022port 22 tcp \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_22_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\ufffd\ufffd\ufffdYGl\\\u0022Z\ufffd\ufffdE\ufffd\\\\z\ufffd0\ufffdl\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\\u0000\u003E\\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\\f\ufffda\ufffd\ufffd\ufffd\ufffd\\u0004\\u0014~\\u0001\ufffdx\ufffd^:\\u0019\ufffd\\u0015\ufffd,8\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022port 22 tcp \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdYGl\\\u0022Z\ufffd\ufffdE\ufffd\\\\z\ufffd0\ufffdl\ufffd\u0027\ufffd\ufffd\ufffd\u003E\\n\ufffdI\ufffd\ufffd6\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffda\ufffd\ufffd\ufffd\ufffd~\ufffdx\ufffd^:\ufffd\ufffd,8\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":64},{"id":9338621,"ip":"35.233.77.25","ts":"2026-06-16 05:05:55.000000","proto":"tcp","src_port":48182,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 27, \u0022payload_entropy\u0022: 3.91211389097223, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e61df9daa23678fb8da412993c14604e07486452\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229347c491a8bfa0cf9d4139ebc591dc1a\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\\r\\n\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220ccf02ae15ff2ec307f7e559b769b36593f613fb\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 7, \u0022ssh_auth_burst_rate\u0022: 2.33, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":27},{"id":9338615,"ip":"35.233.77.25","ts":"2026-06-16 05:05:52.000000","proto":"tcp","src_port":48124,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 27, \u0022payload_entropy\u0022: 3.91211389097223, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002252aff1c3ab5260ce88a91e156d1e2db6de2ba6df\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229347c491a8bfa0cf9d4139ebc591dc1a\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\\r\\n\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002252d32b9da785420c931187954c12cc6bf595755d\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-Fingerprintx-SSH2\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":27},{"id":9337977,"ip":"35.233.77.25","ts":"2026-06-16 04:49:18.000000","proto":"tcp","src_port":57508,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a7126521109c1987b3394ab50203f58d5e0666d\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022481e7c9d48f087e9179390f97c4362a8599a741d\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 18, \u0022ssh_auth_burst_rate\u0022: 1.28}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":9337982,"ip":"35.233.77.25","ts":"2026-06-16 04:49:18.000000","proto":"tcp","src_port":57502,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 51, \u0022payload_entropy\u0022: 4.814103037837824, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222b86689ebf77c360c4f0cca5b2b92364\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7216\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7216\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7216\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7216\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7216\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c139fe4977da1a7b1edf07d60d7d1acfb848ea75\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7216\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7216\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7216\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS rtsp:\/\/example.com RTSP\/1.0\\r\\nCseq: 7216\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 36, \u0022ssh_auth_burst_rate\u0022: 2.57}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":51},{"id":9337983,"ip":"35.233.77.25","ts":"2026-06-16 04:49:18.000000","proto":"tcp","src_port":57498,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 84, \u0022payload_entropy\u0022: 4.139167728978457, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d36879333240626a18617a50ed2c7dee2f54393\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022MSSQL TDS prelogin\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0356\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002294e606a42613d0ef095b8001a98bf6ed\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dff62050a720ccbe26a1a7aa16a0f946ee4180be\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000T\\u0000\\u0003\\u0000\\u0000user\\u0000postgres\\u0000database\\u0000postgres\\u0000application_name\\u0000psql\\u0000client_encoding\\u0000UTF8\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 37, \u0022ssh_auth_burst_rate\u0022: 2.64}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":84},{"id":9337984,"ip":"35.233.77.25","ts":"2026-06-16 04:49:18.000000","proto":"tcp","src_port":57490,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 238, \u0022payload_entropy\u0022: 5.113383338217833, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0520\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Oracle TNS connect\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0520\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223ec3472553fccfc5460ce0aa0edb3bd2\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022request_sample\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=22)))\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=22)))\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221246a073ff78ce2d8c3496f0df527f87975caadd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u003C,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\u003C\\u0001,\\u0000\\u0000\ufffd\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000\ufffd\\u0000:\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u003C,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 38, \u0022ssh_auth_burst_rate\u0022: 2.71}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":238},{"id":9337978,"ip":"35.233.77.25","ts":"2026-06-16 04:49:17.000000","proto":"tcp","src_port":57408,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.9235205817738175, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d23b5ed00a4e814f350523d032a1394122d39cb7\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222a177602bee0d039f41fbd6da5240e04\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e876fa09a770fdbdbcbee593cc5e2e22f1136a9e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(r\ufffd\ufffd\ufffd\ufffd|\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(r\ufffd\ufffd\ufffd\ufffd|\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 32, \u0022ssh_auth_burst_rate\u0022: 2.46}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":44},{"id":9337979,"ip":"35.233.77.25","ts":"2026-06-16 04:49:17.000000","proto":"tcp","src_port":57422,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 106, \u0022payload_entropy\u0022: 1.562219115128654, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c410cf23b3d85ec98026baf9f8231d24\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d422539d9eae3410f418d7d4e23510bf8e6c8e72\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022f\ufffdSMB@$333333333333337\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000f\ufffdSMB@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000$\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0013333333333333337\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0002\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022f\ufffdSMB@$333333333333337\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 33, \u0022ssh_auth_burst_rate\u0022: 2.54}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":106},{"id":9337980,"ip":"35.233.77.25","ts":"2026-06-16 04:49:17.000000","proto":"tcp","src_port":57430,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 2.125814583693911, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226f4b631d2aa4b9024f72e0e149ce9eda\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022T\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022request_sample\u0022: \u0022T\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022T\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022T\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022T\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c7ab99d5e4abcb724e1484ec6a2a51777e145e4a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022T\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022T\ufffd\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022T\ufffd\\u0000\\u0000\\u0000\\u0006\\u0001\\u0002\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022T\ufffd\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 34, \u0022ssh_auth_burst_rate\u0022: 2.61, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":12},{"id":9337981,"ip":"35.233.77.25","ts":"2026-06-16 04:49:17.000000","proto":"tcp","src_port":57438,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 3.128085278891395, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0414\u0022], \u0022matched_pattern_names\u0022: [\u0022Redis PING RESP\u0022], \u0022pattern_ids\u0022: [\u0022pat-0414\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a43cb6a3b9d261112714d00e36b33106\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d4d2aa8f4088fee9ca985dd7ecfcc5b9fc3cffa8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 35, \u0022ssh_auth_burst_rate\u0022: 2.69}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":14},{"id":9337985,"ip":"35.233.77.25","ts":"2026-06-16 04:49:17.000000","proto":"tcp","src_port":57464,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 7, \u0022payload_entropy\u0022: 2.807354922057604, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0604\u0022], \u0022matched_pattern_names\u0022: [\u0022Java RMI JRMI\u0022], \u0022pattern_ids\u0022: [\u0022pat-0604\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d8c49a0f759e2102fb8fa8368049d06a\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002225c057bdc097d97004a01c34d3bb59bfa4a90986\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 39, \u0022ssh_auth_burst_rate\u0022: 3.0}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":7},{"id":9337986,"ip":"35.233.77.25","ts":"2026-06-16 04:49:17.000000","proto":"tcp","src_port":57480,"dst_port":22,"service":"ssh","classification":"mqtt_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 20, \u0022payload_entropy\u0022: 3.1414460711655217, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b1802f6f71a11621266cff4649898a3490ca5795\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 110, \u0022precision_signals\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022matched_patterns\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MQTT protocol\u0022, \u0022MQTT alt CONNECT\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228cbaa0e25147458ba5f5f0e8603c4f19\u0022, \u0022path_pattern_hash\u0022: \u00224449b927317468afa12a2f935a413459\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022request_sample\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022091bb425d2449cc5524179b89f1cfac2157d0511\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0012\\u0000\\u0004MQTT\\u0005\\u0002\\u0000\u003C\\u0000\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 40, \u0022ssh_auth_burst_rate\u0022: 3.07}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":20},{"id":9337987,"ip":"35.233.77.25","ts":"2026-06-16 04:49:17.000000","proto":"tcp","src_port":57482,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 3.584962500721156, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b2993d6e4414a846683a71de5eb18653\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022@RSYTCD: 29\\n\u0022, \u0022request_sample\u0022: \u0022@RSYTCD: 29\\n\u0022, \u0022payload_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022@RSYTCD: 29\\n\u0022, \u0022payload_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022688ac31b5cccb45d898542916e35709bba611706\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022@RSYTCD: 29\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022@RSYTCD: 29\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022@RSYTCD: 29\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 41, \u0022ssh_auth_burst_rate\u0022: 3.15}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":12},{"id":9337988,"ip":"35.233.77.25","ts":"2026-06-16 04:49:17.000000","proto":"tcp","src_port":57460,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 3.6644977792004623, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d7cf99dd7541d7bd514fc0d9a1b2d531\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022JDWP-Handshake\u0022, \u0022request_sample\u0022: \u0022JDWP-Handshake\u0022, \u0022payload_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022JDWP-Handshake\u0022, \u0022payload_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022edab5da1d572e96dec38495ef77723da65c2edc8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JDWP-Handshake\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JDWP-Handshake\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022JDWP-Handshake\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 42, \u0022ssh_auth_burst_rate\u0022: 3.23}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":14},{"id":9337989,"ip":"35.233.77.25","ts":"2026-06-16 04:49:17.000000","proto":"tcp","src_port":57450,"dst_port":22,"service":"ssh","classification":"mqtt_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 3.281373409411991, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b1802f6f71a11621266cff4649898a3490ca5795\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 110, \u0022precision_signals\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022matched_patterns\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MQTT protocol\u0022, \u0022MQTT alt CONNECT\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022146feb4208f989935534a353df60ec62\u0022, \u0022path_pattern_hash\u0022: \u00224449b927317468afa12a2f935a413459\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022request_sample\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b037cb5b32edc22d86c89afe5cb4c84b5d698274\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0011\\u0000\\u0004MQTT\\u0003\\u0002\\u0000\u003C\\u0000\\u0005AAAAA\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022MQTT\u003CAAAAA\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 43, \u0022ssh_auth_burst_rate\u0022: 3.31}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mqtt_connect\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":19},{"id":9337974,"ip":"35.233.77.25","ts":"2026-06-16 04:49:14.000000","proto":"tcp","src_port":57364,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 71, \u0022payload_entropy\u0022: 4.83906190787142, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0556\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022Kafka ApiVersions key\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0556\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d9bcc621186ef441cc445f2b3dbd5f10\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229a321f0f92229c154128e8e36ccded2ae3db9c21\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000C\\u0000\\u0012\\u0000\\u0000\\u001e3\ufffd\\u0000\\u001fconsumer-Offset Explorer 2.2-18\\u0000\\u0012apache-kafka-java\\u00062.4.0\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 19, \u0022ssh_auth_burst_rate\u0022: 1.46}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":71},{"id":9337976,"ip":"35.233.77.25","ts":"2026-06-16 04:49:14.000000","proto":"tcp","src_port":57380,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 39, \u0022payload_entropy\u0022: 4.155818941810702, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d36879333240626a18617a50ed2c7dee2f54393\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222b30d8d990d2c9ef2a45ca4c965196f0\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006SV59IH\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006SV59IH\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006SV59IH\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006SV59IH\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006SV59IH\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c068c51337dd4e48f762e5ac302b516a91a324ff\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006SV59IH\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022#3\ufffd\\radminclient-5SV59IH\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000#\\u0000\\u0003\\u0000\\u0000\\u001e3\ufffd\\u0000\\radminclient-5\\u0000\\u0000\\u0000\\u0001\\u0000\\u0006SV59IH\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022#3\ufffd\\radminclient-5SV59IH\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 20, \u0022ssh_auth_burst_rate\u0022: 1.54, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022postgres_startup\u0022, \u0022postgresql_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":39},{"id":9337972,"ip":"35.233.77.25","ts":"2026-06-16 04:49:11.000000","proto":"tcp","src_port":10052,"dst_port":22,"service":"ssh","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 88, \u0022payload_entropy\u0022: 4.354527413223707, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002290e396dfa83b5a259815c28cb0d651ce713d0ed3\u0022, \u0022event_fingerprint\u0022: \u0022e2fecb7fa672c436270a1a3ab197ed5a9894cbda\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220efe38694fbb4cc2af819186b5e9ae9e\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022934005d824e0429f4513074da441d0cf46312130\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022X%\u0026\u0027+,$\ufffd\\t\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\u066a\u003CK\ufffd{\ufffd\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000X\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u001f\\u0000\\u0006\\u0001\\u0000%\\u0000\\u0001\\u0002\\u0000\u0026\\u0000\\u0001\\u0003\\u0000\u0027\\u0000\\u0004\\u0004\\u0000+\\u0000\\u0001\\u0005\\u0000,\\u0000$\ufffd\\u0011\\t\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\\u001f\u066a\u003C\\u0013K\ufffd{\ufffd\\u0003\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022X%\u0026\u0027+,$\ufffd\\t\ufffd\ufffd\ufffd\\\\\ufffdk\ufffd\u066a\u003CK\ufffd{\ufffd\\\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_tds\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_mssql_tds\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 15, \u0022ssh_auth_burst_rate\u0022: 1.15}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_tds\u0022, \u0022net_bruteforce_burst\u0022, \u0022net_mssql_tds\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":88},{"id":9337973,"ip":"35.233.77.25","ts":"2026-06-16 04:49:11.000000","proto":"tcp","src_port":57346,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 4.8402239289418505, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002210c3d18dc3484700172a01283b82bffd\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u00220:\\u0002\\u0004\\u00109\ufffd\ufffd`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qveykmimefhzlduyftwz\ufffd\\u0014qveykmimefhzlduyftwz\u0022, \u0022request_sample\u0022: \u00220:\\u0002\\u0004\\u00109\ufffd\ufffd`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qveykmimefhzlduyftwz\ufffd\\u0014qveykmimefhzlduyftwz\u0022, \u0022payload_snippet\u0022: \u00220:\\u0002\\u0004\\u00109\ufffd\ufffd`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qveykmimefhzlduyftwz\ufffd\\u0014qveykmimefhzlduyftwz\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u00220:\\u0002\\u0004\\u00109\ufffd\ufffd`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qveykmimefhzlduyftwz\ufffd\\u0014qveykmimefhzlduyftwz\u0022, \u0022payload_snippet\u0022: \u00220:\\u0002\\u0004\\u00109\ufffd\ufffd`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qveykmimefhzlduyftwz\ufffd\\u0014qveykmimefhzlduyftwz\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e880990fbca8675b49511f8aed5682cafeca0a5f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220:\\u0002\\u0004\\u00109\ufffd\ufffd`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qveykmimefhzlduyftwz\ufffd\\u0014qveykmimefhzlduyftwz\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u00220:9\ufffd\ufffd`2cn=qveykmimefhzlduyftwz\ufffdqveykmimefhzlduyftwz\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220:\\u0002\\u0004\\u00109\ufffd\ufffd`2\\u0002\\u0001\\u0003\\u0004\\u0017cn=qveykmimefhzlduyftwz\ufffd\\u0014qveykmimefhzlduyftwz\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00220:9\ufffd\ufffd`2cn=qveykmimefhzlduyftwz\ufffdqveykmimefhzlduyftwz\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 16, \u0022ssh_auth_burst_rate\u0022: 1.23}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":60},{"id":9337971,"ip":"35.233.77.25","ts":"2026-06-16 04:49:08.000000","proto":"tcp","src_port":10044,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a7126521109c1987b3394ab50203f58d5e0666d\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022481e7c9d48f087e9179390f97c4362a8599a741d\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 14, \u0022ssh_auth_burst_rate\u0022: 1.4}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_banner_grab\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":9337968,"ip":"35.233.77.25","ts":"2026-06-16 04:49:05.000000","proto":"tcp","src_port":10030,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 16, \u0022payload_entropy\u0022: 3.327819531114783, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c15f26f8461f9c4ecf0b1ed9e3d255a84f9eaf82\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad32b372bf9a8e846b24a957491de4e3\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022Not a command \\r\\n\u0022, \u0022request_sample\u0022: \u0022Not a command \\r\\n\u0022, \u0022payload_snippet\u0022: \u0022Not a command\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022Not a command \\r\\n\u0022, \u0022payload_snippet\u0022: \u0022Not a command\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022250dbd8b8f86903d9c7611d3c1f2018db5027abe\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022Not a command\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022Not a command\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022Not a command\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022Not a command\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 13, \u0022ssh_auth_burst_rate\u0022: 1.0}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":16},{"id":9337965,"ip":"35.233.77.25","ts":"2026-06-16 04:49:04.000000","proto":"tcp","src_port":10020,"dst_port":22,"service":"ssh","classification":"ssh_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.983740670882855, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022BE\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228fc6ed97290d268f1fc6cf8588666a2736755a3f\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 68, \u0022precision_signals\u0022: [\u0022INT-ssh-brute\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-brute\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BE\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220003c8efa0acdc0c6540f4bdb920f6bc\u0022, \u0022path_pattern_hash\u0022: \u0022fca570dfedc4605a2c5e448037a92aaf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002294172eec75bd2e49c01514c1cb036ae3c10770b0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Rafale d\u0027authentification SSH \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-brute\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Bruteforce SSH\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u000b\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Bruteforce SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 17, \u0022ssh_auth_burst_rate\u0022: 1.13}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":19}],"total_events":60}