{"ip":"45.153.34.134","exported_at":"2026-07-19T05:10:07+00:00","period_days":1,"metrics":{"events7d":4,"distinct_ports":2,"distinct_classifications":3,"max_severity":2,"last_sensor_id":"paris-1","max_waf_score":3,"max_risk_score":38,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":0.95,"risk_breakdown":{"waf":8,"classification":38,"behavior":0,"geo":0,"protocol":25,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"T1595","top_mitre_technique":"TA0007","top_mitre_count":3,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 38\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":38,"behavior":0,"geo":0,"protocol":25,"novelty":15,"risk_score":38},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":95,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["Requ\u00eate favicon.ico","Single Port","Chemin b\u00e9nin connu"],"tags_summary":["INT-benign-favicon","INT-single-port","INT-benign-path-cap"],"attack_vector":"Sonde HTTP \u00b7 via HTTP:20128 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico","protocol_details":{"http_method":"GET","http_path":"\/favicon.ico","request_line":"GET \/favicon.ico HTTP\/1.1","http_user_agent":"odin-scanner\/0.4","port":20128,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/favicon.ico \u00b7 UA odin-scanner\/0.4 \u00b7 HTTP:20128","evidence_snippet":"GET \/favicon.ico HTTP\/1.0\r\nHost: 62.3.50.33:20128\r\nUser-Agent: odin-scanner\/0.4\r\nAccept: *\/*\r\nConnection: close","target_port_label":"20128 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 95 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%","classification_reason_label_fr":"Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%","confidence_factors_fr":"Confiance 95 % \u2014 Score WAF 8","payload_preview":"GET \/favicon.ico HTTP\/1.0\r\nHost: 62.3.50.33:20128\r\nUser-Agent: odin-scanner\/0.4\r\nAccept: *\/*\r\nConnection: close"},"events":[{"id":12786915,"ip":"45.153.34.134","ts":"2026-07-18 15:34:12.000000","proto":"tcp","src_port":61617,"dst_port":20128,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u002297c33e6da355810621fb6e2980c711442b4c1fda\u0022, \u0022http_host_hash\u0022: \u0022811e873ecf166e0cfcd38010b221c32006fb2f57\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 115, \u0022payload_entropy\u0022: 4.926132251715087, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 20128, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229e01c25ddb7630cfa5ccc7ae2a22c18b22cb7e59\u0022, \u0022event_fingerprint\u0022: \u00227acb444c36a72f649ce0b8b3cac567434f9bfdc7\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 94, \u0022precision_signals\u0022: [\u0022INT-benign-favicon\u0022, \u0022INT-single-port\u0022, \u0022INT-benign-path-cap\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-benign-favicon\u0022, \u0022INT-single-port\u0022, \u0022INT-benign-path-cap\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d3a80be2090f0c1e93f403f2faae898c\u0022, \u0022payload_hash\u0022: \u0022926f0eed463dc36994e312983275ff54\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 20128, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022odin-scanner\/0.4\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022odin-scanner\/0.4\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227891303f6adcf05f9c5042fcdc4d39ca231877c9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022odin-scanner\/0.4\u0022, \u0022port\u0022: 20128, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:20128 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico\u0022, \u0022target_port_label\u0022: \u002220128 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 20128, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-benign-favicon\u0022, \u0022INT-single-port\u0022, \u0022INT-benign-path-cap\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Requ\u00eate favicon.ico\u0022, \u0022Single Port\u0022, \u0022Chemin b\u00e9nin connu\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022odin-scanner\/0.4\u0022, \u0022port\u0022: 20128, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:20128 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u002220128 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002220128\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33:20128","http_user_agent":"odin-scanner\/0.4","http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":115},{"id":12786914,"ip":"45.153.34.134","ts":"2026-07-18 15:34:11.000000","proto":"tcp","src_port":61448,"dst_port":20128,"service":"http","classification":"http","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002297c33e6da355810621fb6e2980c711442b4c1fda\u0022, \u0022http_host_hash\u0022: \u0022811e873ecf166e0cfcd38010b221c32006fb2f57\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 104, \u0022payload_entropy\u0022: 4.888960786641588, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 20128, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 8.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 8.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a89d168a427bb6a864d881dd25ea685cafb2c690\u0022, \u0022event_fingerprint\u0022: \u0022861e155a63a607acd9ac32a86b781855416aad15\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d3a80be2090f0c1e93f403f2faae898c\u0022, \u0022payload_hash\u0022: \u00229d143af51d660110a02e023ef00806dd\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 20128, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022odin-scanner\/0.4\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022odin-scanner\/0.4\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 58%\u0022}, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 58%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 8.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.58, \u0022classification_confidence\u0022: 0.58, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222fe36db9f343b5abf55b03d213fd2303cd2734a8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022odin-scanner\/0.4\u0022, \u0022port\u0022: 20128, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022http \u00b7 via HTTP:20128 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002220128 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 58 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 58%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 58%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 8.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 20128, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022odin-scanner\/0.4\u0022, \u0022port\u0022: 20128, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http \u00b7 via HTTP:20128 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:20128\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u002220128 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 58 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002220128\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33:20128","http_user_agent":"odin-scanner\/0.4","http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":1,"bytes_in":104},{"id":12786377,"ip":"45.153.34.134","ts":"2026-07-18 15:22:55.000000","proto":"tcp","src_port":61834,"dst_port":11235,"service":"xmrig-proxy","classification":"xmrig-proxy","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f7420786d7269675f70726f787920726561647920706f72743d31313233350d0a\u0022, \u0022emulator_response_len\u0022: 43, \u0022bytes_in\u0022: 115, \u0022payload_entropy\u0022: 4.908740947367261, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022xmrig-proxy\u0022, \u0022app_proto\u0022: \u0022xmrig-proxy\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 11235, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 16.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 32.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0bbf9109b709bebb19f3a3ca6e1147a6a9af63a\u0022, \u0022event_fingerprint\u0022: \u00221d2c54187e9138b3a4b809f325d0d834b08b5e0f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xmrig-proxy \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022xmrig-proxy\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f5b544f9642e786c06f55d2ab8982225\u0022, \u0022path_pattern_hash\u0022: \u0022b2def2303c99e93603c3e2178cd525d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 11235, \u0022service\u0022: \u0022xmrig-proxy\u0022, \u0022service_name\u0022: \u0022xmrig-proxy\u0022, \u0022risk_score\u0022: 24}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xmrig-proxy \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cabaef3af80cf5dd56b9527da3e0abdb12e2c204\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022port\u0022: 11235, \u0022service\u0022: \u0022xmrig-proxy\u0022, \u0022service_label_fr\u0022: \u0022XMRIG PROXY\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022xmrig-proxy \u00b7 via XMRIG PROXY:11235 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002211235 \u00b7 XMRIG PROXY\u0022, \u0022emulator_service\u0022: \u0022xmrig-proxy\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 1 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xmrig-proxy \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xmrig-proxy \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022xmrig-proxy\u0022, \u0022service_label_fr\u0022: \u0022XMRIG PROXY\u0022, \u0022dst_port\u0022: 11235, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-xmrig-proxy\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022port\u0022: 11235, \u0022service\u0022: \u0022xmrig-proxy\u0022, \u0022service_label_fr\u0022: \u0022XMRIG PROXY\u0022}, \u0022attack_vector\u0022: \u0022xmrig-proxy \u00b7 via XMRIG PROXY:11235 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u002211235 \u00b7 XMRIG PROXY\u0022, \u0022emulator_service\u0022: \u0022xmrig-proxy\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 1 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022xmrig_proxy\u0022, \u0022service_banner\u0022: \u0022honeypot-xmrig-proxy\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211235\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022]","anomalies":"[]","severity":2,"bytes_in":115},{"id":12786376,"ip":"45.153.34.134","ts":"2026-07-18 15:22:54.000000","proto":"tcp","src_port":61664,"dst_port":11235,"service":"xmrig-proxy","classification":"xmrig-proxy","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f7420786d7269675f70726f787920726561647920706f72743d31313233350d0a\u0022, \u0022emulator_response_len\u0022: 43, \u0022bytes_in\u0022: 104, \u0022payload_entropy\u0022: 4.869730017410818, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022service\u0022: \u0022xmrig-proxy\u0022, \u0022app_proto\u0022: \u0022xmrig-proxy\u0022, \u0022asn\u0022: 197170, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 11235, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 16.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 32.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0bbf9109b709bebb19f3a3ca6e1147a6a9af63a\u0022, \u0022event_fingerprint\u0022: \u00221d2c54187e9138b3a4b809f325d0d834b08b5e0f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xmrig-proxy \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022xmrig-proxy\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 197170, \u0022org\u0022: \u0022TechTies Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a85edec7662accef872a43c1a65353ac\u0022, \u0022path_pattern_hash\u0022: \u0022b2def2303c99e93603c3e2178cd525d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 11235, \u0022service\u0022: \u0022xmrig-proxy\u0022, \u0022service_name\u0022: \u0022xmrig-proxy\u0022, \u0022risk_score\u0022: 24}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xmrig-proxy \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a467e61ce8ed653f13d50548604df9dcf48dd566\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022port\u0022: 11235, \u0022service\u0022: \u0022xmrig-proxy\u0022, \u0022service_label_fr\u0022: \u0022XMRIG PROXY\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022xmrig-proxy \u00b7 via XMRIG PROXY:11235 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002211235 \u00b7 XMRIG PROXY\u0022, \u0022emulator_service\u0022: \u0022xmrig-proxy\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 1 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xmrig-proxy \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xmrig-proxy \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022xmrig-proxy\u0022, \u0022service_label_fr\u0022: \u0022XMRIG PROXY\u0022, \u0022dst_port\u0022: 11235, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-xmrig-proxy\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022port\u0022: 11235, \u0022service\u0022: \u0022xmrig-proxy\u0022, \u0022service_label_fr\u0022: \u0022XMRIG PROXY\u0022}, \u0022attack_vector\u0022: \u0022xmrig-proxy \u00b7 via XMRIG PROXY:11235 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nHost: 62.3.50.33:11235\\r\\nUser-Agent: odin-scanner\/0.4\\r\\nAccept: *\/*\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u002211235 \u00b7 XMRIG PROXY\u0022, \u0022emulator_service\u0022: \u0022xmrig-proxy\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 1 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022xmrig_proxy\u0022, \u0022service_banner\u0022: \u0022honeypot-xmrig-proxy\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211235\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022]","anomalies":"[]","severity":2,"bytes_in":104}],"total_events":4}