Détails IP 45.207.205.45

Synthèse exécutive

Profil de menace

Score de risque 64/100 Moyen

Première observation 13/06/2026 18:13 UTC

Dernière observation 13/06/2026 19:16 UTC

Événements (période) 132

MITRE ATT&CK principal T1046 119 occurrences

Activité suspecte — risque 51/100 (Moyen) — MITRE TA0001 — confiance 50 % — via HTTP

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « xss_attack » (signaux protocolaires) · confiance 50%

Confiance 50 % — Score WAF 84 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 8796 · 45.207.204.0/23 · AFRINIC — 7 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 132 événements sur la période pour cette IP.

45.205.27.52 Sonde SSH 29/05/2026 11:09 UTC
156.238.224.50 Sonde SSH 25/04/2026 06:39 UTC
149.88.88.251 telnet attack 16/04/2026 20:11 UTC
156.238.252.133 Sonde SSH 21/02/2026 07:36 UTC
45.207.201.221 Sonde SSH 22/01/2026 19:17 UTC
156.238.252.46 Sonde SSH 02/01/2026 19:07 UTC
154.201.73.192 Sonde port 07/11/2025 20:20 UTC

Événements (filtres)

132

Première observation

13/06/2026 18:13 UTC

Dernière observation

13/06/2026 19:16 UTC

Dernière activité (filtres)

13/06/2026 19:16 UTC

Événements 7j

132

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 21 VNC TCP 6 RDP TCP 4 Telnet TCP 4 REDIS TCP 4 NFS TCP 4 RSYNC TCP 4 K8S API TCP 3 SMB TCP 3 HTTP ALT 8001 TCP 3 DOCKER TLS TCP 3 MSSQL TCP 3 SSH TCP 3 HTTP ALT 8081 TCP 3 ELASTICSEARCH TCP 3 MYSQL TCP 3 MEMCACHED TCP 3 HTTP ALT 8082 TCP 3 AMQP TCP 3 MONGODB TCP 3

HTTP

VNC

RDP

Telnet

REDIS

NFS

Géolocalisation

Origine réseau déclarée

Seychelles unknown unknown

FAI / réseau

Opérateur et dernière activité ban

FASTNET DATA INC 0 Port 8080 xss_attack

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

xss attack · via HTTP:8080 · (tentative d'exploit) · → /status

Détails protocole

Méthode: GET
Chemin: /status
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0

Aperçu payload

GET /status HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0

Port / service

8080 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 50 % — Motif catalogue confirmé · 3 tag(s) WAF

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0284

Confiance

50% Confiance modérée — signal unique

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

132 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

132 événement(s) — page 2/3

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
13/06/2026 18:38:31 UTC	TCP	873 · RSYNC	rsync	rsync probe rsync probe · via RSYNC:873 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur RSYNC WAF — Recommandation Surveiller Tags net_rsync_probe rsync_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 873 Chemin / cible — Service RSYNC Pourquoi cette classification : Type « rsync_probe » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 34 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "405253594e43443a2033312e3020686f6e6579706f74207273796e630a405253594e43443a2033312e3020686f6e6579706f74206d6f64756c65730a", "emulator_response_len": 60, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "rsync", "app_proto": "rsync", "asn": 8796, "country": "SC", "dst_port": 873, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 34, "tag_count": 2, "anomaly_count": 0, "campaign_key": "b225a60a411dd1824c2d387ccefaf495fd5f34e4", "event_fingerprint": "b8e7f2d6a44abcd0eaea4d28adc634b3cbaedb93", "classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 34, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "rsync", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "fa887033768ad7efd3289b383db625e0" }, "target_context": { "dst_port": 873, "service": "rsync", "service_name": "rsync", "risk_score": 34 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7f1d73aa06c9f62dbc5b166d4f3f6ebcfb6f5db0", "protocol_details": { "port": 873, "service": "rsync", "service_label_fr": "RSYNC" }, "attack_vector": "rsync probe \u00b7 via RSYNC:873 \u00b7 (sonde \/ probe)", "target_port_label": "873 \u00b7 RSYNC", "emulator_service": "rsync", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab rsync_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 34, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "rsync", "service_label_fr": "RSYNC", "dst_port": 873, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rsync", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 873, "service": "rsync", "service_label_fr": "RSYNC" }, "attack_vector": "rsync probe \u00b7 via RSYNC:873 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "873 \u00b7 RSYNC", "emulator_service": "rsync", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rsync", "service_banner": "honeypot-rsync", "service_os": "linux", "dst_port": "873" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_rsync_probe", "rsync_emulated" ] }
13/06/2026 18:38:29 UTC	TCP	3389 · RDP	rdp	Sonde port 3389/TCP port 3389 tcp · via RDP:3389 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur RDP WAF — Recommandation Surveiller Tags net_rdp_probe rdp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Preuve honeypot — Sonde port 3389/TCP Connexion détectée sur le port 3389 (TCP) du capteur simulé. Service RDP Pourquoi cette classification : Type « port_3389_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "rdp", "app_proto": "rdp", "asn": 8796, "country": "SC", "dst_port": 3389, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "aa4bea48009056c8c3884e795b29aa79232ecca7", "event_fingerprint": "707be242ce71f14fac23ca7fdd82d854dc2752d8", "classification_reason": "Type \u00ab port_3389_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "rdp", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "eb3d82ddd64e24c65658a8ee92a2ad53" }, "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 42 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8d8d4f39783aca29ac10813e5aedff8182459974", "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "port 3389 tcp \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_3389_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_3389_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "port 3389 tcp \u00b7 via RDP:3389 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_rdp_probe", "rdp_emulated" ] }
13/06/2026 18:36:36 UTC	TCP	8899	—	Scan de ports port scan syn · port 8899 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8899 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": null, "app_proto": null, "asn": 8796, "country": "SC", "dst_port": 8899, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 8, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 8, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "afc0b200edac86f190e0a27b340d58a500e24ec4", "event_fingerprint": "7f07ea3293347933c3fac46abf8a10ebef865f1d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 8, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8899, "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "71785876e697554beb415bccbdbd283be1bbba9f", "protocol_details": { "port": 8899 }, "attack_vector": "port scan syn \u00b7 port 8899 \u00b7 (reconnaissance)", "target_port_label": "8899", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (35 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 8, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 8899, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8899 }, "attack_vector": "port scan syn \u00b7 port 8899 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8899", "emulator_service": null, "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "8899" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 38, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 27, "scan_velocity_ports_per_s": 38.22, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 35, "multi_protocol_sample": [ "amqp", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:36:36 UTC	TCP	9042 · CASSANDRA	cassandra	Scan de ports port scan syn · via CASSANDRA:9042 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur CASSANDRA WAF — Recommandation Surveiller Tags cassandra_emulated net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9042 Chemin / cible — Service CASSANDRA Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "840000000200000002", "emulator_response_len": 9, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "cassandra", "app_proto": "cassandra", "asn": 8796, "country": "SC", "dst_port": 9042, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "1003280d273727fcc08ab3d788c35acf5b6d718b", "event_fingerprint": "26d8e48a1f6752aca7f9494557834abf00d18b90", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "cassandra", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9042, "service": "cassandra", "service_name": "cassandra", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "34e68eb852d7e20f3be478cf4609668da0b4a0e3", "protocol_details": { "port": 9042, "service": "cassandra", "service_label_fr": "CASSANDRA" }, "attack_vector": "port scan syn \u00b7 via CASSANDRA:9042 \u00b7 (reconnaissance)", "target_port_label": "9042 \u00b7 CASSANDRA", "emulator_service": "cassandra", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CASSANDRA \u2014 multi-protocole (36 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "cassandra", "service_label_fr": "CASSANDRA", "dst_port": 9042, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 9042, "service": "cassandra", "service_label_fr": "CASSANDRA" }, "attack_vector": "port scan syn \u00b7 via CASSANDRA:9042 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "9042 \u00b7 CASSANDRA", "emulator_service": "cassandra", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra", "service_banner": "honeypot-cassandra", "service_os": "linux", "dst_port": "9042" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 39, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 28, "scan_velocity_ports_per_s": 30.54, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 36, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "net_port_scan_fast" ] }
13/06/2026 18:36:36 UTC	TCP	28080	—	Scan de ports port scan syn · port 28080 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 28080 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": null, "app_proto": null, "asn": 8796, "country": "SC", "dst_port": 28080, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 8, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 8, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "030863de9f8fb9061654405a1dec756cb9b35e6d", "event_fingerprint": "4f56b264f7d5f0a896faf463b1211986c71b8b79", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 8, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 28080, "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9e5235981516249f27cbd5d6469af2b836e1284a", "protocol_details": { "port": 28080 }, "attack_vector": "port scan syn \u00b7 port 28080 \u00b7 (reconnaissance)", "target_port_label": "28080", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 8, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 28080, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 28080 }, "attack_vector": "port scan syn \u00b7 port 28080 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "28080", "emulator_service": null, "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "28080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 40, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 29, "scan_velocity_ports_per_s": 31.42, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	3306 · MYSQL	mysql	Scan de ports port scan syn · via MYSQL:3306 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MYSQL WAF — Recommandation Surveiller Tags mysql_emulated mysql_handshake net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3306 Chemin / cible — Service MYSQL Pourquoi cette classification : Poignée de main MySQL · confiance 100% Confiance classification 100% Corrélation +19 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "380000000a382e302e33322d4d7953514c0004030201112233445566778899aabbccddeeff006d7973716c5f6e61746976655f70617373776f726400", "emulator_response_len": 60, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "mysql", "app_proto": "mysql", "asn": 8796, "country": "SC", "dst_port": 3306, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d33e704b19d7020f09cde303c282ef568fca0398", "event_fingerprint": "fc636b2a9fe65cd127101ef17af779a5183b0a0c", "classification_reason": "Poign\u00e9e de main MySQL \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 19 }, "named_classification_skipped": false, "service_name": "mysql", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3306, "service": "mysql", "service_name": "mysql", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "81b707694027c788b580a508f840ce4fd2b6775a", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Poign\u00e9e de main MySQL \u00b7 confiance 100%", "classification_reason_label_fr": "Poign\u00e9e de main MySQL \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MYSQL \u2014 multi-protocole (12 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 19 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mysql", "service_label_fr": "MYSQL", "dst_port": 3306, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "8.0.32-MySQL", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +19", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mysql", "service_banner": "8.0.32-MySQL", "service_os": "linux", "dst_port": "3306" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 1433, 2375, 2376, 3306, 5900, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 12, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "http", "https", "kubelet", "memcached", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 19, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mysql_emulated", "mysql_handshake", "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	6443 · K8S API	k8s-api	Scan de ports port scan syn · via K8S API:6443 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur K8S-API WAF — Recommandation Surveiller Tags k8s_api_emulated net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6443 Chemin / cible — Service K8S API Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +19 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75", "emulator_response_len": 165, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "k8s-api", "app_proto": "k8s-api", "asn": 8796, "country": "SC", "dst_port": 6443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "366ac82e912f6b7faef5212e2dcc3aca21c23210", "event_fingerprint": "1eeecffdeefbfbad05a3604bc614efa2174b97bf", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 19 }, "named_classification_skipped": false, "service_name": "k8s-api", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 6443, "service": "k8s-api", "service_name": "k8s-api", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2c1e45c88d9f8909e06b7e5782a6f24e78838e2a", "protocol_details": { "port": 6443, "service": "k8s-api", "service_label_fr": "K8S API" }, "attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)", "target_port_label": "6443 \u00b7 K8S API", "emulator_service": "k8s-api", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (13 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 19 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "k8s-api", "service_label_fr": "K8S API", "dst_port": 6443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-k8s-api", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +19", "protocol_details": { "port": 6443, "service": "k8s-api", "service_label_fr": "K8S API" }, "attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "6443 \u00b7 K8S API", "emulator_service": "k8s-api", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "k8s_api", "service_banner": "honeypot-k8s-api", "service_os": "linux", "dst_port": "6443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 13, "port_scan_ports_sample": [ 1433, 2375, 2376, 3306, 5900, 6379, 6443, 8080, 8443, 9200, 10250, 11211, 27017 ], "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 13, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "http", "https", "k8s-api", "kubelet", "memcached" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 19, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "k8s_api_emulated", "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	22 · SSH	ssh	Scan de ports port scan syn · via SSH:22 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur SSH WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast ssh_banner_grab ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a", "emulator_response_len": 40, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "SC", "dst_port": 22, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a9b517824c94778e6748155f74784f3a93add744", "event_fingerprint": "b4929bf32779aefad610d20ae581619a267ba9f6", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87e0ca97b7bdc4227f7650f13d3e74f6532996ff", "protocol_details": { "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "port scan syn \u00b7 via SSH:22 \u00b7 (reconnaissance)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH \u2014 multi-protocole (14 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "port scan syn \u00b7 via SSH:22 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 14, "port_scan_ports_sample": [ 22, 1433, 2375, 2376, 3306, 5900, 6379, 6443, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 30, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 14, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "http", "https", "k8s-api", "kubelet", "memcached" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "ssh_banner_grab", "ssh_emulated" ] }
13/06/2026 18:36:35 UTC	TCP	21 · FTP	ftp	Scan de ports port scan syn · via FTP:21 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Sonde protocole FTP Émulateur FTP WAF — Recommandation Surveiller Tags ftp_emulated net_bruteforce_burst net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 21 Chemin / cible — Service FTP Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420465450205365727665722072656164792e0d0a", "emulator_response_len": 32, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ftp", "app_proto": "ftp", "asn": 8796, "country": "SC", "dst_port": 21, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1c2e3b4d6bfb5ebd3a4fc0cb9495918eababa190", "event_fingerprint": "9031dd2c4b6735507ef78d847b42e7fda3d480dc", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "ftp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 21, "service": "ftp", "service_name": "ftp", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "86741c785ad85d2c2164e0b0d81fa19001b0f3a6", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port scan syn \u00b7 via FTP:21 \u00b7 (reconnaissance)", "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via FTP \u2014 multi-protocole (15 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "ftp", "service_label_fr": "FTP", "dst_port": 21, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ftp", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "ftp_auth_fr": "Sonde protocole FTP", "port": 21, "service": "ftp", "service_label_fr": "FTP" }, "attack_vector": "port scan syn \u00b7 via FTP:21 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "21 \u00b7 FTP", "emulator_service": "ftp", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ftp", "service_banner": "honeypot-ftp", "service_os": "linux", "dst_port": "21" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 15, "port_scan_ports_sample": [ 21, 22, 1433, 2375, 2376, 3306, 5900, 6379, 6443, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 40, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 15, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "ftp", "http", "https", "k8s-api", "kubelet" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "ftp_emulated", "net_bruteforce_burst", "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	3389 · RDP	rdp	Scan de ports port scan syn · via RDP:3389 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RDP WAF — Recommandation Surveiller Tags net_port_scan_fast rdp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Service RDP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "rdp", "app_proto": "rdp", "asn": 8796, "country": "SC", "dst_port": 3389, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "3e883454a29ace2a688535dc2bc3e66adc65508d", "event_fingerprint": "e363e414733e6c4de1b1bc87369dc66f1f76c868", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6afe41ca5be6597013e0c45ff6276a5b8c62e579", "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "port scan syn \u00b7 via RDP:3389 \u00b7 (reconnaissance)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RDP \u2014 multi-protocole (16 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "port scan syn \u00b7 via RDP:3389 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 16, "port_scan_ports_sample": [ 21, 22, 1433, 2375, 2376, 3306, 3389, 5900, 6379, 6443, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 5, "scan_velocity_ports_per_s": 50, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 16, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "ftp", "http", "https", "k8s-api", "kubelet" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "rdp_emulated" ] }
13/06/2026 18:36:35 UTC	TCP	873 · RSYNC	rsync	Scan de ports port scan syn · via RSYNC:873 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RSYNC WAF — Recommandation Surveiller Tags net_port_scan_fast rsync_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 873 Chemin / cible — Service RSYNC Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "405253594e43443a2033312e3020686f6e6579706f74207273796e630a405253594e43443a2033312e3020686f6e6579706f74206d6f64756c65730a", "emulator_response_len": 60, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "rsync", "app_proto": "rsync", "asn": 8796, "country": "SC", "dst_port": 873, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "2b9924e4ee70903ed67db5f76eb0892ba7020d7c", "event_fingerprint": "946b05c81089bfc0460f7ef64cf5c3f3734227ed", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "rsync", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 873, "service": "rsync", "service_name": "rsync", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce662a52958afa5105b86420b22ca8699c87383b", "protocol_details": { "port": 873, "service": "rsync", "service_label_fr": "RSYNC" }, "attack_vector": "port scan syn \u00b7 via RSYNC:873 \u00b7 (reconnaissance)", "target_port_label": "873 \u00b7 RSYNC", "emulator_service": "rsync", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RSYNC \u2014 multi-protocole (17 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rsync", "service_label_fr": "RSYNC", "dst_port": 873, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rsync", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 873, "service": "rsync", "service_label_fr": "RSYNC" }, "attack_vector": "port scan syn \u00b7 via RSYNC:873 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "873 \u00b7 RSYNC", "emulator_service": "rsync", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rsync", "service_banner": "honeypot-rsync", "service_os": "linux", "dst_port": "873" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 17, "port_scan_ports_sample": [ 21, 22, 873, 1433, 2375, 2376, 3306, 3389, 5900, 6379, 6443, 8080, 8443, 9200, 10250, 11211 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 6, "scan_velocity_ports_per_s": 59.04, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 17, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "ftp", "http", "https", "k8s-api", "kubelet" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "rsync_emulated" ] }
13/06/2026 18:36:35 UTC	TCP	5000 · FLASK HTTP	flask-http	Scan de ports port scan syn · via FLASK HTTP:5000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur FLASK-HTTP WAF — Recommandation Surveiller Tags flask_http_emulated net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5000 Chemin / cible — Service FLASK HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "flask-http", "app_proto": "flask-http", "asn": 8796, "country": "SC", "dst_port": 5000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "5260fec0ed25eb6d8e481670ebcec24514cb5c60", "event_fingerprint": "8d0a84b1f7d0da0d7e3e8cefee8d1ec30015078c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "flask-http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5000, "service": "flask-http", "service_name": "flask-http", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e3ac75289e64ebe63aaa69d0a2660d0d430458a0", "protocol_details": { "port": 5000, "service": "flask-http", "service_label_fr": "FLASK HTTP" }, "attack_vector": "port scan syn \u00b7 via FLASK HTTP:5000 \u00b7 (reconnaissance)", "target_port_label": "5000 \u00b7 FLASK HTTP", "emulator_service": "flask-http", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via FLASK HTTP \u2014 multi-protocole (18 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "flask-http", "service_label_fr": "FLASK HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-flask-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 5000, "service": "flask-http", "service_label_fr": "FLASK HTTP" }, "attack_vector": "port scan syn \u00b7 via FLASK HTTP:5000 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5000 \u00b7 FLASK HTTP", "emulator_service": "flask-http", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "flask_http", "service_banner": "honeypot-flask-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 18, "port_scan_ports_sample": [ 21, 22, 873, 1433, 2375, 2376, 3306, 3389, 5000, 5900, 6379, 6443, 8080, 8443, 9200, 10250 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 55.18, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 18, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "https", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "flask_http_emulated", "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	9000 · HTTP	http	Scan de ports port scan syn · via HTTP:9000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP WAF — Recommandation Surveiller Tags http_alt_dev_port http_alt_port net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9000 Chemin / cible — Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 9000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "97dde639ecc91a3a733f93274a66d67cb7adda85", "event_fingerprint": "c191fd7753de9ec898a5acf873c182d0ba49940e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b250643fdba12cdb34d85c042e5c1ab87d2f2399", "protocol_details": { "port": 9000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9000 \u00b7 (reconnaissance)", "target_port_label": "9000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (18 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 9000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9000 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "9000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 19, "port_scan_ports_sample": [ 21, 22, 873, 1433, 2375, 2376, 3306, 3389, 5000, 5900, 6379, 6443, 8080, 8443, 9000, 9200 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 8, "scan_velocity_ports_per_s": 52.77, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 18, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "https", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_dev_port", "http_alt_port", "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	445 · SMB	smb	Scan de ports port scan syn · via SMB:445 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur SMB WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast smb_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 445 Chemin / cible — Service SMB Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "smb", "app_proto": "smb", "asn": 8796, "country": "SC", "dst_port": 445, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "96665521d70583a97d746c1fa2f6b4da6e027b9b", "event_fingerprint": "28ecc987eb914c8ed9fc92ead8a82a75ca582ae2", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "smb", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 445, "service": "smb", "service_name": "smb", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "af8c0668a2bd1f95092bf662f2b36fd5bc842133", "protocol_details": { "port": 445, "service": "smb", "service_label_fr": "SMB" }, "attack_vector": "port scan syn \u00b7 via SMB:445 \u00b7 (reconnaissance)", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SMB \u2014 multi-protocole (19 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "smb", "service_label_fr": "SMB", "dst_port": 445, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-smb", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 445, "service": "smb", "service_label_fr": "SMB" }, "attack_vector": "port scan syn \u00b7 via SMB:445 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "smb", "service_banner": "honeypot-smb", "service_os": "linux", "dst_port": "445" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 20, "port_scan_ports_sample": [ 21, 22, 445, 873, 1433, 2375, 2376, 3306, 3389, 5000, 5900, 6379, 6443, 8080, 8443, 9000 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 9, "scan_velocity_ports_per_s": 55.57, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 19, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "https", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "smb_emulated" ], "behavior_alert_count": 2, "behavior_priority": 84 }
13/06/2026 18:36:35 UTC	TCP	2049 · NFS	nfs	Scan de ports port scan syn · via NFS:2049 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur NFS WAF — Recommandation Surveiller Tags net_port_scan_fast nfs_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2049 Chemin / cible — Service NFS Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "nfs", "app_proto": "nfs", "asn": 8796, "country": "SC", "dst_port": 2049, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "68b58f0f15ed4b19e30cd09adde9e2c2b4037b27", "event_fingerprint": "406f1fb049fa29b057884fc3ea6c98702c6088ca", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "nfs", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2049, "service": "nfs", "service_name": "nfs", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "96e932f0b6d1ab2456ebe4d4ed0aac5585862d74", "protocol_details": { "port": 2049, "service": "nfs", "service_label_fr": "NFS" }, "attack_vector": "port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)", "target_port_label": "2049 \u00b7 NFS", "emulator_service": "nfs", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via NFS \u2014 multi-protocole (20 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "nfs", "service_label_fr": "NFS", "dst_port": 2049, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-nfs", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 2049, "service": "nfs", "service_label_fr": "NFS" }, "attack_vector": "port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2049 \u00b7 NFS", "emulator_service": "nfs", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "nfs", "service_banner": "honeypot-nfs", "service_os": "linux", "dst_port": "2049" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 21, "port_scan_ports_sample": [ 21, 22, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5900, 6379, 6443, 8080, 8443 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 10, "scan_velocity_ports_per_s": 61, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 20, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "https", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "nfs_emulated" ] }
13/06/2026 18:36:35 UTC	TCP	23 · Telnet	telnet	Scan de ports port scan syn · via Telnet:23 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur TELNET WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast telnet_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 23 Chemin / cible — Service Telnet Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "fffb01fffb03fffd180d0a5562756e74752032322e3034204c54530d0a686f6e6579706f74206c6f67696e3a20", "emulator_response_len": 45, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "telnet", "app_proto": "telnet", "asn": 8796, "country": "SC", "dst_port": 23, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "48d8b4c7f2062b33e6f848537fa0c8db6498193d", "event_fingerprint": "b01c5d414ece661f92cba2c282935e85d119d5b1", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "telnet", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 23, "service": "telnet", "service_name": "telnet", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f7dbc040b9cb1a53a382d952cdc79ad2227ec11e", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port scan syn \u00b7 via Telnet:23 \u00b7 (reconnaissance)", "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via Telnet \u2014 multi-protocole (21 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "telnet", "service_label_fr": "Telnet", "dst_port": 23, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-telnet", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 23, "service": "telnet", "service_label_fr": "Telnet" }, "attack_vector": "port scan syn \u00b7 via Telnet:23 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "23 \u00b7 Telnet", "emulator_service": "telnet", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "telnet", "service_banner": "honeypot-telnet", "service_os": "linux", "dst_port": "23" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 22, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5900, 6379, 6443, 8080 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 11, "scan_velocity_ports_per_s": 60.94, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 21, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "https", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "telnet_emulated" ] }
13/06/2026 18:36:35 UTC	TCP	8001 · HTTP ALT 8001	http-alt-8001	Scan de ports port scan syn · via HTTP ALT 8001:8001 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP-ALT-8001 WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8001 Chemin / cible — Service HTTP ALT 8001 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http-alt-8001", "app_proto": "http-alt-8001", "asn": 8796, "country": "SC", "dst_port": 8001, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "c5e87dc6e5c16ff4835256ea9983e0a3ac15af77", "event_fingerprint": "a7663b25eee412a43bf0523e5c9c4eca004bd0ac", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http-alt-8001", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8001, "service": "http-alt-8001", "service_name": "http-alt-8001", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3972144e91f62dfa1c95264ff05ce7d9ca0ca98a", "protocol_details": { "port": 8001, "service": "http-alt-8001", "service_label_fr": "HTTP ALT 8001" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8001:8001 \u00b7 (reconnaissance)", "target_port_label": "8001 \u00b7 HTTP ALT 8001", "emulator_service": "http-alt-8001", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8001 \u2014 multi-protocole (22 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http-alt-8001", "service_label_fr": "HTTP ALT 8001", "dst_port": 8001, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8001", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8001, "service": "http-alt-8001", "service_label_fr": "HTTP ALT 8001" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8001:8001 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8001 \u00b7 HTTP ALT 8001", "emulator_service": "http-alt-8001", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8001", "service_banner": "honeypot-http-alt-8001", "service_os": "linux", "dst_port": "8001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 23, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5900, 6379, 6443, 8001 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 12, "scan_velocity_ports_per_s": 63.53, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 22, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001", "https" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	8082 · HTTP ALT 8082	http-alt-8082	Scan de ports port scan syn · via HTTP ALT 8082:8082 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP-ALT-8082 WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8082 Chemin / cible — Service HTTP ALT 8082 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http-alt-8082", "app_proto": "http-alt-8082", "asn": 8796, "country": "SC", "dst_port": 8082, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a6f984ec056a43a9930866c96db3b3702488c652", "event_fingerprint": "754fe1c1fd27dff7b9653c1ba3c9f4252e86ae83", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http-alt-8082", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8082, "service": "http-alt-8082", "service_name": "http-alt-8082", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "334f348ae62f55a35b64bafe573c1fe6d3e4d0a3", "protocol_details": { "port": 8082, "service": "http-alt-8082", "service_label_fr": "HTTP ALT 8082" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8082:8082 \u00b7 (reconnaissance)", "target_port_label": "8082 \u00b7 HTTP ALT 8082", "emulator_service": "http-alt-8082", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8082 \u2014 multi-protocole (23 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http-alt-8082", "service_label_fr": "HTTP ALT 8082", "dst_port": 8082, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8082", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8082, "service": "http-alt-8082", "service_label_fr": "HTTP ALT 8082" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8082:8082 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8082 \u00b7 HTTP ALT 8082", "emulator_service": "http-alt-8082", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8082", "service_banner": "honeypot-http-alt-8082", "service_os": "linux", "dst_port": "8082" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 24, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5900, 6379, 6443, 8001 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 13, "scan_velocity_ports_per_s": 64.51, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 23, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001", "http-alt-8082" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	8000 · SAP ICM	sap-icm	Scan de ports port scan syn · via SAP ICM:8000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur SAP-ICM WAF — Recommandation Surveiller Tags net_port_scan_fast sap_icm_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Service SAP ICM Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "sap-icm", "app_proto": "sap-icm", "asn": 8796, "country": "SC", "dst_port": 8000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "da13f9d91a9fa65374243ecc64354c5d02646066", "event_fingerprint": "35f03245cfcefbc377b60a7eaa4e05d4006fb65d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cc06abccc74d22aa4618e8ca66a2409a12f85c0e", "protocol_details": { "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "port scan syn \u00b7 via SAP ICM:8000 \u00b7 (reconnaissance)", "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SAP ICM \u2014 multi-protocole (24 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8000, "service": "sap-icm", "service_label_fr": "SAP ICM" }, "attack_vector": "port scan syn \u00b7 via SAP ICM:8000 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8000 \u00b7 SAP ICM", "emulator_service": "sap-icm", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 25, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5900, 6379, 6443, 8000 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 14, "scan_velocity_ports_per_s": 60.33, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 24, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001", "http-alt-8082" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "sap_icm_emulated" ] }
13/06/2026 18:36:35 UTC	TCP	7001 · WEBLOGIC	weblogic	Scan de ports port scan syn · via WEBLOGIC:7001 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur WEBLOGIC WAF — Recommandation Surveiller Tags net_port_scan_fast weblogic_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7001 Chemin / cible — Service WEBLOGIC Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043", "emulator_response_len": 177, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "weblogic", "app_proto": "weblogic", "asn": 8796, "country": "SC", "dst_port": 7001, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "3fcef425cf6d5e04af560de16c42631b27272a8b", "event_fingerprint": "6f7c2121a7e056fb57bd2523bd43bf2060a47b5e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "weblogic", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 7001, "service": "weblogic", "service_name": "weblogic", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "07acb5eae08360e51f20e03b427e156a44198252", "protocol_details": { "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "port scan syn \u00b7 via WEBLOGIC:7001 \u00b7 (reconnaissance)", "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via WEBLOGIC \u2014 multi-protocole (25 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "weblogic", "service_label_fr": "WEBLOGIC", "dst_port": 7001, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-weblogic", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 7001, "service": "weblogic", "service_label_fr": "WEBLOGIC" }, "attack_vector": "port scan syn \u00b7 via WEBLOGIC:7001 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "7001 \u00b7 WEBLOGIC", "emulator_service": "weblogic", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "weblogic", "service_banner": "honeypot-weblogic", "service_os": "linux", "dst_port": "7001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 26, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5900, 6379, 6443, 7001 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 15, "scan_velocity_ports_per_s": 61.98, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 25, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001", "http-alt-8082" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "weblogic_emulated" ] }
13/06/2026 18:36:35 UTC	TCP	8081 · HTTP ALT 8081	http-alt-8081	Scan de ports port scan syn · via HTTP ALT 8081:8081 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP-ALT-8081 WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8081 Chemin / cible — Service HTTP ALT 8081 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http-alt-8081", "app_proto": "http-alt-8081", "asn": 8796, "country": "SC", "dst_port": 8081, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "4c26c2b609b676bc5d714fe3251b5cdfdaaeb381", "event_fingerprint": "4b8d01bf5e0cd8f05e9c73ead2fc5951c1842a92", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http-alt-8081", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8081, "service": "http-alt-8081", "service_name": "http-alt-8081", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d14d91fd2da25abe99138129c9f0a9d0e3c5910d", "protocol_details": { "port": 8081, "service": "http-alt-8081", "service_label_fr": "HTTP ALT 8081" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)", "target_port_label": "8081 \u00b7 HTTP ALT 8081", "emulator_service": "http-alt-8081", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8081 \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http-alt-8081", "service_label_fr": "HTTP ALT 8081", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8081", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8081, "service": "http-alt-8081", "service_label_fr": "HTTP ALT 8081" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8081 \u00b7 HTTP ALT 8081", "emulator_service": "http-alt-8081", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8081", "service_banner": "honeypot-http-alt-8081", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 27, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5900, 6379, 6443, 7001 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 16, "scan_velocity_ports_per_s": 65.06, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	5901 · VNC	vnc	Scan de ports port scan syn · via VNC:5901 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VNC WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5901 Chemin / cible — Service VNC Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "vnc", "app_proto": "vnc", "asn": 8796, "country": "SC", "dst_port": 5901, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "1b0a8dfabeea22865ca682ed240153e6e7261766", "event_fingerprint": "1f120765377258e8d734a87494c566260cf9e406", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "vnc", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5901, "service": "vnc", "service_name": "vnc", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6822bcdc268f5cd61436ff5b2c889cd3431ab479", "protocol_details": { "port": 5901, "service": "vnc", "service_label_fr": "VNC" }, "attack_vector": "port scan syn \u00b7 via VNC:5901 \u00b7 (reconnaissance)", "target_port_label": "5901 \u00b7 VNC", "emulator_service": "vnc", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VNC \u2014 multi-protocole (26 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vnc", "service_label_fr": "VNC", "dst_port": 5901, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vnc", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 5901, "service": "vnc", "service_label_fr": "VNC" }, "attack_vector": "port scan syn \u00b7 via VNC:5901 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5901 \u00b7 VNC", "emulator_service": "vnc", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vnc", "service_banner": "honeypot-vnc", "service_os": "linux", "dst_port": "5901" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 28, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5900, 5901, 6379, 6443 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 17, "scan_velocity_ports_per_s": 65.47, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 26, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	5432 · POSTGRES	postgres	Scan de ports port scan syn · via POSTGRES:5432 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Handshake PostgreSQL (startup) Émulateur POSTGRES WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast postgres_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5432 Chemin / cible — Service POSTGRES Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "postgres", "app_proto": "postgres", "asn": 8796, "country": "SC", "dst_port": 5432, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6725be58b62974f23391ef632d76c470fbbef8dd", "event_fingerprint": "5302d14dbea4b63204d1ed61b172d5e31032aca7", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "postgres", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5432, "service": "postgres", "service_name": "postgres", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "12a4c54a00c30b25416d73e22dab6e0418a9f624", "protocol_details": { "postgres_startup_fr": "Handshake PostgreSQL (startup)", "port": 5432, "service": "postgres", "service_label_fr": "POSTGRES" }, "attack_vector": "port scan syn \u00b7 via POSTGRES:5432 \u00b7 (reconnaissance)", "target_port_label": "5432 \u00b7 POSTGRES", "emulator_service": "postgres", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via POSTGRES \u2014 multi-protocole (27 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "postgres", "service_label_fr": "POSTGRES", "dst_port": 5432, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "PostgreSQL 15.4", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "postgres_startup_fr": "Handshake PostgreSQL (startup)", "port": 5432, "service": "postgres", "service_label_fr": "POSTGRES" }, "attack_vector": "port scan syn \u00b7 via POSTGRES:5432 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5432 \u00b7 POSTGRES", "emulator_service": "postgres", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "postgres", "service_banner": "PostgreSQL 15.4", "service_os": "linux", "dst_port": "5432" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 29, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5900, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 18, "scan_velocity_ports_per_s": 68.14, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 27, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "postgres_emulated" ] }
13/06/2026 18:36:35 UTC	TCP	10000 · WEBMIN	webmin	Scan de ports port scan syn · via WEBMIN:10000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur WEBMIN WAF — Recommandation Surveiller Tags net_port_scan_fast webmin_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10000 Chemin / cible — Service WEBMIN Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 126, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "webmin", "app_proto": "webmin", "asn": 8796, "country": "SC", "dst_port": 10000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "f6f8b00ee276ec0dc04212f7613c4569ede48db8", "event_fingerprint": "554995d9e038ae76febd9668bd51aadb43bc3553", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "webmin", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 10000, "service": "webmin", "service_name": "webmin", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "39ac1194cbe404eadcc6621ca158a2587ea268bb", "protocol_details": { "port": 10000, "service": "webmin", "service_label_fr": "WEBMIN" }, "attack_vector": "port scan syn \u00b7 via WEBMIN:10000 \u00b7 (reconnaissance)", "target_port_label": "10000 \u00b7 WEBMIN", "emulator_service": "webmin", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via WEBMIN \u2014 multi-protocole (28 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "webmin", "service_label_fr": "WEBMIN", "dst_port": 10000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-webmin", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 10000, "service": "webmin", "service_label_fr": "WEBMIN" }, "attack_vector": "port scan syn \u00b7 via WEBMIN:10000 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "10000 \u00b7 WEBMIN", "emulator_service": "webmin", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "webmin", "service_banner": "honeypot-webmin", "service_os": "linux", "dst_port": "10000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 30, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5900, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 19, "scan_velocity_ports_per_s": 66.25, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 28, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "webmin_emulated" ] }
13/06/2026 18:36:35 UTC	TCP	8883 · MQTTS	mqtts	Scan de ports port scan syn · via MQTTS:8883 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MQTTS WAF — Recommandation Surveiller Tags mqtts_emulated net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8883 Chemin / cible — Service MQTTS Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "mqtts", "app_proto": "mqtts", "asn": 8796, "country": "SC", "dst_port": 8883, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "b18162c88c48e6748f5d3cd9e0b8d07abc9e1476", "event_fingerprint": "25dd54199c1aabd249dd54e6daebc9ce369e03f7", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mqtts", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8883, "service": "mqtts", "service_name": "mqtts", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e8daafd10fd2124d6bbbb5772418bf282039d3e3", "protocol_details": { "port": 8883, "service": "mqtts", "service_label_fr": "MQTTS" }, "attack_vector": "port scan syn \u00b7 via MQTTS:8883 \u00b7 (reconnaissance)", "target_port_label": "8883 \u00b7 MQTTS", "emulator_service": "mqtts", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MQTTS \u2014 multi-protocole (29 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mqtts", "service_label_fr": "MQTTS", "dst_port": 8883, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mqtts", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8883, "service": "mqtts", "service_label_fr": "MQTTS" }, "attack_vector": "port scan syn \u00b7 via MQTTS:8883 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8883 \u00b7 MQTTS", "emulator_service": "mqtts", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mqtts", "service_banner": "honeypot-mqtts", "service_os": "linux", "dst_port": "8883" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 31, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5900, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 20, "scan_velocity_ports_per_s": 66.11, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 29, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mqtts_emulated", "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	15672 · RabbitMQ Management	rabbitmq-mgmt	Scan de ports port scan syn · via RabbitMQ Management:15672 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RABBITMQ-MGMT WAF — Recommandation Surveiller Tags net_port_scan_fast rabbitmq_mgmt_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 15672 Chemin / cible — Service RabbitMQ Management Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "rabbitmq-mgmt", "app_proto": "rabbitmq-mgmt", "asn": 8796, "country": "SC", "dst_port": 15672, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "7b41aa778f3b277891f8aa814f03d8b8fef7f251", "event_fingerprint": "457ef3ebe5a41038a591a4d492268aaeb6480900", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "rabbitmq-mgmt", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 15672, "service": "rabbitmq-mgmt", "service_name": "rabbitmq-mgmt", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "19f03db33f2d47b724ba2245656928e4e00e753c", "protocol_details": { "port": 15672, "service": "rabbitmq-mgmt", "service_label_fr": "RabbitMQ Management" }, "attack_vector": "port scan syn \u00b7 via RabbitMQ Management:15672 \u00b7 (reconnaissance)", "target_port_label": "15672 \u00b7 RabbitMQ Management", "emulator_service": "rabbitmq-mgmt", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RabbitMQ Management \u2014 multi-protocole (30 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rabbitmq-mgmt", "service_label_fr": "RabbitMQ Management", "dst_port": 15672, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rabbitmq-mgmt", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 15672, "service": "rabbitmq-mgmt", "service_label_fr": "RabbitMQ Management" }, "attack_vector": "port scan syn \u00b7 via RabbitMQ Management:15672 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "15672 \u00b7 RabbitMQ Management", "emulator_service": "rabbitmq-mgmt", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rabbitmq_mgmt", "service_banner": "honeypot-rabbitmq-mgmt", "service_os": "linux", "dst_port": "15672" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 32, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5900, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 21, "scan_velocity_ports_per_s": 59.92, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 30, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "rabbitmq_mgmt_emulated" ] }
13/06/2026 18:36:35 UTC	TCP	9090 · PROMETHEUS	prometheus	Scan de ports port scan syn · via PROMETHEUS:9090 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur PROMETHEUS WAF — Recommandation Surveiller Tags net_port_scan_fast prometheus_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9090 Chemin / cible — Service PROMETHEUS Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "prometheus", "app_proto": "prometheus", "asn": 8796, "country": "SC", "dst_port": 9090, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "3c638f3c298bd4c670c89b60742c2bfca7d63f57", "event_fingerprint": "d03f9b99067241df10fe0fa36e187d35e3de6da9", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "prometheus", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9090, "service": "prometheus", "service_name": "prometheus", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "84a1151c5e36eac4c062ea3b612071edbfdde6d0", "protocol_details": { "port": 9090, "service": "prometheus", "service_label_fr": "PROMETHEUS" }, "attack_vector": "port scan syn \u00b7 via PROMETHEUS:9090 \u00b7 (reconnaissance)", "target_port_label": "9090 \u00b7 PROMETHEUS", "emulator_service": "prometheus", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via PROMETHEUS \u2014 multi-protocole (31 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "prometheus", "service_label_fr": "PROMETHEUS", "dst_port": 9090, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-prometheus", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 9090, "service": "prometheus", "service_label_fr": "PROMETHEUS" }, "attack_vector": "port scan syn \u00b7 via PROMETHEUS:9090 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "9090 \u00b7 PROMETHEUS", "emulator_service": "prometheus", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "prometheus", "service_banner": "honeypot-prometheus", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 33, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5900, 5901, 6379 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 22, "scan_velocity_ports_per_s": 61.27, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 31, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001", "http-alt-8081" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "prometheus_emulated" ] }
13/06/2026 18:36:35 UTC	TCP	5672 · AMQP	amqp	Scan de ports port scan syn · via AMQP:5672 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur AMQP WAF — Recommandation Surveiller Tags amqp_emulated net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5672 Chemin / cible — Service AMQP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "414d515000000901010000000000000e000a000b000000000000000000", "emulator_response_len": 29, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "amqp", "app_proto": "amqp", "asn": 8796, "country": "SC", "dst_port": 5672, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "f838fa1738be90bb5cded0c7bcda986f4e2b9f2f", "event_fingerprint": "72ebc770e2cb1f40c3f18b5b4bc5c4fa513f5b29", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "amqp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5672, "service": "amqp", "service_name": "amqp", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fbac36b491a1db41f6c336a7c16dcfcc2f20fc5e", "protocol_details": { "port": 5672, "service": "amqp", "service_label_fr": "AMQP" }, "attack_vector": "port scan syn \u00b7 via AMQP:5672 \u00b7 (reconnaissance)", "target_port_label": "5672 \u00b7 AMQP", "emulator_service": "amqp", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via AMQP \u2014 multi-protocole (32 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "amqp", "service_label_fr": "AMQP", "dst_port": 5672, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-amqp", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 5672, "service": "amqp", "service_label_fr": "AMQP" }, "attack_vector": "port scan syn \u00b7 via AMQP:5672 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5672 \u00b7 AMQP", "emulator_service": "amqp", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "amqp", "service_banner": "honeypot-amqp", "service_os": "linux", "dst_port": "5672" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 34, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900, 5901 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 23, "scan_velocity_ports_per_s": 58.32, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 32, "multi_protocol_sample": [ "amqp", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "amqp_emulated", "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	1883 · MQTT	mqtt	Scan de ports port scan syn · via MQTT:1883 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Connexion MQTT (CONNECT) Émulateur MQTT WAF — Recommandation Surveiller Tags mqtt_emulated net_bruteforce_burst net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1883 Chemin / cible — Service MQTT MQTT Connexion MQTT (CONNECT) Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "mqtt", "app_proto": "mqtt", "asn": 8796, "country": "SC", "dst_port": 1883, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3dcecb1b8ce8d8b7b1debf4bd2c8687d4917e183", "event_fingerprint": "fee8f8e86b21ce5d7cca835e505fd9e20340232a", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mqtt", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 1883, "service": "mqtt", "service_name": "mqtt", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b0074c76c40c881153affd1ba1c9a66d45f33d6a", "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "attack_vector": "port scan syn \u00b7 via MQTT:1883 \u00b7 (reconnaissance)", "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MQTT \u2014 multi-protocole (33 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mqtt", "service_label_fr": "MQTT", "dst_port": 1883, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "MQTT 3.1.1", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "attack_vector": "port scan syn \u00b7 via MQTT:1883 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mqtt", "service_banner": "MQTT 3.1.1", "service_os": "iot", "dst_port": "1883" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 35, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 24, "scan_velocity_ports_per_s": 57.94, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 33, "multi_protocol_sample": [ "amqp", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mqtt_emulated", "net_bruteforce_burst", "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	8088 · HTTP ALT 8088	http-alt-8088	Scan de ports port scan syn · via HTTP ALT 8088:8088 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP-ALT-8088 WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8088 Chemin / cible — Service HTTP ALT 8088 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http-alt-8088", "app_proto": "http-alt-8088", "asn": 8796, "country": "SC", "dst_port": 8088, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "31ef3eb26aab54f533f55b16f5fbd3fdc59cd4d8", "event_fingerprint": "d2258c613dacf1d3a6383f9a084716b29d5b7d2f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http-alt-8088", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8088, "service": "http-alt-8088", "service_name": "http-alt-8088", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bc9f2ff708f1a0f5a55c12c988ffe457ad176748", "protocol_details": { "port": 8088, "service": "http-alt-8088", "service_label_fr": "HTTP ALT 8088" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8088:8088 \u00b7 (reconnaissance)", "target_port_label": "8088 \u00b7 HTTP ALT 8088", "emulator_service": "http-alt-8088", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8088 \u2014 multi-protocole (34 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http-alt-8088", "service_label_fr": "HTTP ALT 8088", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8088", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8088, "service": "http-alt-8088", "service_label_fr": "HTTP ALT 8088" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8088:8088 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8088 \u00b7 HTTP ALT 8088", "emulator_service": "http-alt-8088", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8088", "service_banner": "honeypot-http-alt-8088", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 36, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 25, "scan_velocity_ports_per_s": 51.79, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 34, "multi_protocol_sample": [ "amqp", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:36:35 UTC	TCP	8888 · HTTP	http	Scan de ports port scan syn · via HTTP:8888 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP WAF — Recommandation Surveiller Tags http_alt_dev_port http_alt_port net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8888 Chemin / cible — Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTP alt 8888 probe User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 8888, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "892aec0465da3cfaf267dca07b46901a8e105eb0", "event_fingerprint": "f92f3292c2e4220234c2782b1e39bdbad68f1d01", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0599" ], "matched_pattern_names": [ "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0599" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c10e94820bcf1ef5fb4f709c89921265c377741e", "protocol_details": { "port": 8888, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)", "target_port_label": "8888 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (34 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8888, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8888, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8888 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 37, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 26, "scan_velocity_ports_per_s": 47.79, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 34, "multi_protocol_sample": [ "amqp", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_dev_port", "http_alt_port", "net_port_scan_fast" ] }
13/06/2026 18:36:28 UTC	TCP	8080 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8080 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP WAF — Recommandation Surveiller Tags http_alt_8080 http_alt_port net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8080 Chemin / cible — Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 74% Confiance classification 74% Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http", "app_proto": "http", "asn": 8796, "country": "SC", "dst_port": 8080, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "986800c5ad65e75d541a277e48953dacf3f318da", "event_fingerprint": "5afc6680f618e490dc22cb875ac6d45b5c7d65ea", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "http", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "945d6c54aac35f31bab6fba8d81332256826a36c", "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 74, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 74 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_8080", "http_alt_port", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
13/06/2026 18:36:28 UTC	TCP	8443 · HTTPS	https	Sonde HTTP Sonde HTTP · via HTTPS:8443 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 71% Confiance classification 79% Corrélation +8 Risque capteur Moyen · 40 Confiance : Confiance 71 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "https", "app_proto": "https", "asn": 8796, "country": "SC", "dst_port": 8443, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0 }, "risk_score": 40, "tag_count": 2, "anomaly_count": 0, "campaign_key": "baa690d1c17ffc3e0bea7942e5e4e6fb74221eb7", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "service_name": "https", "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 40 }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40, "correlation_boost": 8 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.79, "classification_confidence": 0.79, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a290a31f54554d3db67fb9ec50e66b26c3cce82", "protocol_details": { "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "Sonde HTTP \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 71 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 79, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 0, "risk_score": 40, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "Sonde HTTP \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 71 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 79 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "https" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe" ] }
13/06/2026 18:36:28 UTC	TCP	6379 · REDIS	redis	Scan de ports port scan syn · via REDIS:6379 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Sonde protocole Redis Émulateur REDIS WAF — Recommandation Surveiller Tags net_redis_probe redis_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6379 Chemin / cible — Service REDIS Redis Sonde protocole Redis Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +12 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b504f4e470d0a", "emulator_response_len": 7, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "redis", "app_proto": "redis", "asn": 8796, "country": "SC", "dst_port": 6379, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "b10303bd0e441f9f60f46376cbc4ca72292b5068", "event_fingerprint": "9c536ce82edfb6f83700eeb7934e9ac49a41747b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "named_classification_skipped": false, "service_name": "redis", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 6379, "service": "redis", "service_name": "redis", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "df7f465e8c98fe1d3ce6a12856769904de0f753d", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)", "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via REDIS \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "redis", "service_label_fr": "REDIS", "dst_port": 6379, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Redis 7.0", "correlation_flags": [ "scan_rapide", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +12", "protocol_details": { "redis_command_fr": "Sonde protocole Redis", "port": 6379, "service": "redis", "service_label_fr": "REDIS" }, "attack_vector": "port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "6379 \u00b7 REDIS", "emulator_service": "redis", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "redis", "service_banner": "Redis 7.0", "service_os": "linux", "dst_port": "6379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 29.72, "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "https", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 12, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_redis_probe", "redis_emulated" ] }
13/06/2026 18:36:28 UTC	TCP	10250 · KUBELET	kubelet	Scan de ports port scan syn · via KUBELET:10250 · (reconnaissance)	Faible	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur KUBELET WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10250 Chemin / cible — Service KUBELET Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance élevée (100 %) — signaux convergents Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "kubelet", "app_proto": "kubelet", "asn": 8796, "country": "SC", "dst_port": 10250, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 42, "tag_count": 0, "anomaly_count": 0, "campaign_key": "6bd2b33f09a596c7caa65dbc72f849332a530856", "event_fingerprint": "a9c2cb9a599dbd42a424fa05e19f5cb77c52c216", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "kubelet", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 10250, "service": "kubelet", "service_name": "kubelet", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "769a4adb1eb6605b66ac8b172cd2fceaa368b28a", "protocol_details": { "port": 10250, "service": "kubelet", "service_label_fr": "KUBELET" }, "attack_vector": "port scan syn \u00b7 via KUBELET:10250 \u00b7 (reconnaissance)", "target_port_label": "10250 \u00b7 KUBELET", "emulator_service": "kubelet", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via KUBELET \u2014 multi-protocole (4 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "kubelet", "service_label_fr": "KUBELET", "dst_port": 10250, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Kubernetes kubelet", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 10250, "service": "kubelet", "service_label_fr": "KUBELET" }, "attack_vector": "port scan syn \u00b7 via KUBELET:10250 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "10250 \u00b7 KUBELET", "emulator_service": "kubelet", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "kubelet", "service_banner": "Kubernetes kubelet", "service_os": "linux", "dst_port": "10250" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 6379, 8080, 8443, 10250 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 39.02, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 4, "multi_protocol_sample": [ "http", "https", "kubelet", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor" }
13/06/2026 18:36:28 UTC	TCP	27017 · MONGODB	mongodb	Scan de ports port scan syn · via MONGODB:27017 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MONGODB WAF — Recommandation Surveiller Tags mongodb_emulated net_mongodb_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 27017 Chemin / cible — Service MONGODB Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00", "emulator_response_len": 62, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "mongodb", "app_proto": "mongodb", "asn": 8796, "country": "SC", "dst_port": 27017, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "529d9b2894453058f3efabc7b1a0f869e5afeac0", "event_fingerprint": "af0bf670397a78dc9d7687bcdee19adac845dc50", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mongodb", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 27017, "service": "mongodb", "service_name": "mongodb", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7e306d7d34cdf1a310a34bd09c3a7b3560e68d6b", "protocol_details": { "mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)", "port": 27017, "service": "mongodb", "service_label_fr": "MONGODB" }, "attack_vector": "port scan syn \u00b7 via MONGODB:27017 \u00b7 (reconnaissance)", "target_port_label": "27017 \u00b7 MONGODB", "emulator_service": "mongodb", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MONGODB \u2014 multi-protocole (5 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mongodb", "service_label_fr": "MONGODB", "dst_port": 27017, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mongodb", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)", "port": 27017, "service": "mongodb", "service_label_fr": "MONGODB" }, "attack_vector": "port scan syn \u00b7 via MONGODB:27017 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "27017 \u00b7 MONGODB", "emulator_service": "mongodb", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mongodb", "service_banner": "honeypot-mongodb", "service_os": "linux", "dst_port": "27017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 6379, 8080, 8443, 10250, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 5, "scan_velocity_ports_per_s": 46.8, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 5, "multi_protocol_sample": [ "http", "https", "kubelet", "mongodb", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_emulated", "net_mongodb_probe" ] }
13/06/2026 18:36:28 UTC	TCP	2375 · DOCKER	docker	Scan de ports port scan syn · via DOCKER:2375 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_emulated net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "docker", "app_proto": "docker", "asn": 8796, "country": "SC", "dst_port": 2375, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "7fac8b9fb4e847c8c2abe3f25f6668d2413acad8", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "adb30dbbdc8b17793c3fbff47b2d1e3b4b172daf", "protocol_details": { "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "port scan syn \u00b7 via DOCKER:2375 \u00b7 (reconnaissance)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via DOCKER \u2014 multi-protocole (6 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "port scan syn \u00b7 via DOCKER:2375 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 2375, 6379, 8080, 8443, 10250, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 6, "scan_velocity_ports_per_s": 55.43, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 6, "multi_protocol_sample": [ "docker", "http", "https", "kubelet", "mongodb", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_emulated", "net_docker_api_probe" ] }
13/06/2026 18:36:28 UTC	TCP	11211 · MEMCACHED	memcached	Scan de ports port scan syn · via MEMCACHED:11211 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MEMCACHED WAF — Recommandation Surveiller Tags memcached_emulated net_memcached_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 11211 Chemin / cible — Service MEMCACHED Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "56455253494f4e20312e362e360d0a", "emulator_response_len": 15, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "memcached", "app_proto": "memcached", "asn": 8796, "country": "SC", "dst_port": 11211, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "07d250de1613ce6c48278b47e5c33290f8ed10e2", "event_fingerprint": "2fcce8d4fd15e6ca50ec0235eeed2c6616def357", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "memcached", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 11211, "service": "memcached", "service_name": "memcached", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7538f2613c5189cfbd4ede7c7ddc179e0095168a", "protocol_details": { "port": 11211, "service": "memcached", "service_label_fr": "MEMCACHED" }, "attack_vector": "port scan syn \u00b7 via MEMCACHED:11211 \u00b7 (reconnaissance)", "target_port_label": "11211 \u00b7 MEMCACHED", "emulator_service": "memcached", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MEMCACHED \u2014 multi-protocole (7 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "memcached", "service_label_fr": "MEMCACHED", "dst_port": 11211, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-memcached", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 11211, "service": "memcached", "service_label_fr": "MEMCACHED" }, "attack_vector": "port scan syn \u00b7 via MEMCACHED:11211 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "11211 \u00b7 MEMCACHED", "emulator_service": "memcached", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "memcached", "service_banner": "honeypot-memcached", "service_os": "linux", "dst_port": "11211" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2375, 6379, 8080, 8443, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 62.81, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 7, "multi_protocol_sample": [ "docker", "http", "https", "kubelet", "memcached", "mongodb", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "memcached_emulated", "net_memcached_probe" ] }
13/06/2026 18:36:28 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports port scan syn · via ELASTICSEARCH:9200 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Sonde Elasticsearch (REST) Émulateur ELASTICSEARCH WAF — Recommandation Surveiller Tags elasticsearch_emulated net_elasticsearch_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9200 Chemin / cible — Service ELASTICSEARCH Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 8796, "country": "SC", "dst_port": 9200, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "6dfec99b98d53481ee9b4cf1a1a54e12b0341ca9", "event_fingerprint": "64ce65412bf1b81fa23464b76dd480979155e3d0", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2efba0e3538a4dacb05be478f1bb95276f43d70b", "protocol_details": { "elasticsearch_probe_fr": "Sonde Elasticsearch (REST)", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "port scan syn \u00b7 via ELASTICSEARCH:9200 \u00b7 (reconnaissance)", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via ELASTICSEARCH \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "elasticsearch_probe_fr": "Sonde Elasticsearch (REST)", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "port scan syn \u00b7 via ELASTICSEARCH:9200 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 2375, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 8, "scan_velocity_ports_per_s": 70.78, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "docker", "elasticsearch", "http", "https", "kubelet", "memcached", "mongodb", "redis" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "elasticsearch_emulated", "net_elasticsearch_probe" ] }
13/06/2026 18:36:28 UTC	TCP	1433 · MSSQL	mssql	Scan de ports port scan syn · via MSSQL:1433 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MSSQL WAF — Recommandation Surveiller Tags mssql_emulated net_mssql_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1433 Chemin / cible — Service MSSQL Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "001f00001a00060000000000000000000000000000000000000000000000000000", "emulator_response_len": 33, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "mssql", "app_proto": "mssql", "asn": 8796, "country": "SC", "dst_port": 1433, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "1a5b2fa475f95e8d817d64405cb3644e25f7ec32", "event_fingerprint": "6e104f6072c052d0dd22893d2f1fa140642f7c7c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mssql", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 1433, "service": "mssql", "service_name": "mssql", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4c32706d3e1b9c910f489c47b99a564e2479aaf2", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "attack_vector": "port scan syn \u00b7 via MSSQL:1433 \u00b7 (reconnaissance)", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MSSQL \u2014 multi-protocole (9 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mssql", "service_label_fr": "MSSQL", "dst_port": 1433, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mssql", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "attack_vector": "port scan syn \u00b7 via MSSQL:1433 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mssql", "service_banner": "honeypot-mssql", "service_os": "linux", "dst_port": "1433" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 1433, 2375, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 9, "scan_velocity_ports_per_s": 72.52, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 9, "multi_protocol_sample": [ "docker", "elasticsearch", "http", "https", "kubelet", "memcached", "mongodb", "mssql" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mssql_emulated", "net_mssql_probe" ] }
13/06/2026 18:36:28 UTC	TCP	2376 · DOCKER TLS	docker-tls	Scan de ports port scan syn · via DOCKER TLS:2376 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur DOCKER-TLS WAF — Recommandation Surveiller Tags docker_tls_emulated net_docker_tls_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2376 Chemin / cible — Service DOCKER TLS Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "15030300020228", "emulator_response_len": 7, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "docker-tls", "app_proto": "docker-tls", "asn": 8796, "country": "SC", "dst_port": 2376, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "f21ba41294d0290ba258c221013f4610a4db2a27", "event_fingerprint": "0e1c691ada97ecfe1cd84524e4db6b819b7ed10b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "docker-tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2376, "service": "docker-tls", "service_name": "docker-tls", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f1da067582b1aac5d6c01c21e0739934c4729b99", "protocol_details": { "port": 2376, "service": "docker-tls", "service_label_fr": "DOCKER TLS" }, "attack_vector": "port scan syn \u00b7 via DOCKER TLS:2376 \u00b7 (reconnaissance)", "target_port_label": "2376 \u00b7 DOCKER TLS", "emulator_service": "docker-tls", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via DOCKER TLS \u2014 multi-protocole (10 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "docker-tls", "service_label_fr": "DOCKER TLS", "dst_port": 2376, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-docker-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 2376, "service": "docker-tls", "service_label_fr": "DOCKER TLS" }, "attack_vector": "port scan syn \u00b7 via DOCKER TLS:2376 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2376 \u00b7 DOCKER TLS", "emulator_service": "docker-tls", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker_tls", "service_banner": "honeypot-docker-tls", "service_os": "linux", "dst_port": "2376" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 1433, 2375, 2376, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 10, "scan_velocity_ports_per_s": 79.45, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 10, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "http", "https", "kubelet", "memcached", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_tls_emulated", "net_docker_tls_probe" ] }
13/06/2026 18:36:28 UTC	TCP	5900 · VNC	vnc	Scan de ports port scan syn · via VNC:5900 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VNC WAF — Recommandation Surveiller Tags net_vnc_probe vnc_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5900 Chemin / cible — Service VNC Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "524642203030332e3030380a", "emulator_response_len": 12, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "vnc", "app_proto": "vnc", "asn": 8796, "country": "SC", "dst_port": 5900, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "85454e6c29c51aac1db940d56f57ff1075b15dc1", "event_fingerprint": "3a1818c09cc3b5e6ad75703011c0dde91c1bf15b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "vnc", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5900, "service": "vnc", "service_name": "vnc", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dc28b0a7efce638846ca7789bdc55acf70124f06", "protocol_details": { "port": 5900, "service": "vnc", "service_label_fr": "VNC" }, "attack_vector": "port scan syn \u00b7 via VNC:5900 \u00b7 (reconnaissance)", "target_port_label": "5900 \u00b7 VNC", "emulator_service": "vnc", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VNC \u2014 multi-protocole (11 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vnc", "service_label_fr": "VNC", "dst_port": 5900, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vnc", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 5900, "service": "vnc", "service_label_fr": "VNC" }, "attack_vector": "port scan syn \u00b7 via VNC:5900 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5900 \u00b7 VNC", "emulator_service": "vnc", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vnc", "service_banner": "honeypot-vnc", "service_os": "linux", "dst_port": "5900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 1433, 2375, 2376, 5900, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 11, "scan_velocity_ports_per_s": 84.28, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 11, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "http", "https", "kubelet", "memcached", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_vnc_probe", "vnc_emulated" ] }
13/06/2026 18:13:40 UTC	TCP	9090 · PROMETHEUS	prometheus	Scan de ports port scan syn · via PROMETHEUS:9090 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur PROMETHEUS WAF — Recommandation Surveiller Tags net_port_scan_fast prometheus_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9090 Chemin / cible — Service PROMETHEUS Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "prometheus", "app_proto": "prometheus", "asn": 8796, "country": "SC", "dst_port": 9090, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "3c638f3c298bd4c670c89b60742c2bfca7d63f57", "event_fingerprint": "d03f9b99067241df10fe0fa36e187d35e3de6da9", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "prometheus", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9090, "service": "prometheus", "service_name": "prometheus", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "84a1151c5e36eac4c062ea3b612071edbfdde6d0", "protocol_details": { "port": 9090, "service": "prometheus", "service_label_fr": "PROMETHEUS" }, "attack_vector": "port scan syn \u00b7 via PROMETHEUS:9090 \u00b7 (reconnaissance)", "target_port_label": "9090 \u00b7 PROMETHEUS", "emulator_service": "prometheus", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via PROMETHEUS \u2014 multi-protocole (34 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "prometheus", "service_label_fr": "PROMETHEUS", "dst_port": 9090, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-prometheus", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 9090, "service": "prometheus", "service_label_fr": "PROMETHEUS" }, "attack_vector": "port scan syn \u00b7 via PROMETHEUS:9090 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "9090 \u00b7 PROMETHEUS", "emulator_service": "prometheus", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "prometheus", "service_banner": "honeypot-prometheus", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 37, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5900, 5901 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 26, "scan_velocity_ports_per_s": 35.95, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 34, "multi_protocol_sample": [ "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "prometheus_emulated" ] }
13/06/2026 18:13:40 UTC	TCP	8081 · HTTP ALT 8081	http-alt-8081	Scan de ports port scan syn · via HTTP ALT 8081:8081 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTP-ALT-8081 WAF — Recommandation Surveiller Tags net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8081 Chemin / cible — Service HTTP ALT 8081 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 1 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "http-alt-8081", "app_proto": "http-alt-8081", "asn": 8796, "country": "SC", "dst_port": 8081, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 1, "anomaly_count": 0, "campaign_key": "4c26c2b609b676bc5d714fe3251b5cdfdaaeb381", "event_fingerprint": "4b8d01bf5e0cd8f05e9c73ead2fc5951c1842a92", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http-alt-8081", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8081, "service": "http-alt-8081", "service_name": "http-alt-8081", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d14d91fd2da25abe99138129c9f0a9d0e3c5910d", "protocol_details": { "port": 8081, "service": "http-alt-8081", "service_label_fr": "HTTP ALT 8081" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)", "target_port_label": "8081 \u00b7 HTTP ALT 8081", "emulator_service": "http-alt-8081", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8081 \u2014 multi-protocole (35 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http-alt-8081", "service_label_fr": "HTTP ALT 8081", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8081", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 8081, "service": "http-alt-8081", "service_label_fr": "HTTP ALT 8081" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "8081 \u00b7 HTTP ALT 8081", "emulator_service": "http-alt-8081", "confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8081", "service_banner": "honeypot-http-alt-8081", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 38, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5900, 5901 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 27, "scan_velocity_ports_per_s": 27.06, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 35, "multi_protocol_sample": [ "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http", "http-alt-8001" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast" ] }
13/06/2026 18:13:40 UTC	TCP	5672 · AMQP	amqp	Scan de ports port scan syn · via AMQP:5672 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur AMQP WAF — Recommandation Surveiller Tags amqp_emulated net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5672 Chemin / cible — Service AMQP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "414d515000000901010000000000000e000a000b000000000000000000", "emulator_response_len": 29, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "amqp", "app_proto": "amqp", "asn": 8796, "country": "SC", "dst_port": 5672, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "f838fa1738be90bb5cded0c7bcda986f4e2b9f2f", "event_fingerprint": "72ebc770e2cb1f40c3f18b5b4bc5c4fa513f5b29", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "amqp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5672, "service": "amqp", "service_name": "amqp", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fbac36b491a1db41f6c336a7c16dcfcc2f20fc5e", "protocol_details": { "port": 5672, "service": "amqp", "service_label_fr": "AMQP" }, "attack_vector": "port scan syn \u00b7 via AMQP:5672 \u00b7 (reconnaissance)", "target_port_label": "5672 \u00b7 AMQP", "emulator_service": "amqp", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via AMQP \u2014 multi-protocole (36 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "amqp", "service_label_fr": "AMQP", "dst_port": 5672, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-amqp", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 5672, "service": "amqp", "service_label_fr": "AMQP" }, "attack_vector": "port scan syn \u00b7 via AMQP:5672 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5672 \u00b7 AMQP", "emulator_service": "amqp", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "amqp", "service_banner": "honeypot-amqp", "service_os": "linux", "dst_port": "5672" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 39, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 28, "scan_velocity_ports_per_s": 27.43, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 36, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "amqp_emulated", "net_port_scan_fast" ] }
13/06/2026 18:13:40 UTC	TCP	15672 · RabbitMQ Management	rabbitmq-mgmt	Scan de ports port scan syn · via RabbitMQ Management:15672 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RABBITMQ-MGMT WAF — Recommandation Surveiller Tags net_port_scan_fast rabbitmq_mgmt_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 15672 Chemin / cible — Service RabbitMQ Management Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "rabbitmq-mgmt", "app_proto": "rabbitmq-mgmt", "asn": 8796, "country": "SC", "dst_port": 15672, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "7b41aa778f3b277891f8aa814f03d8b8fef7f251", "event_fingerprint": "457ef3ebe5a41038a591a4d492268aaeb6480900", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "rabbitmq-mgmt", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 15672, "service": "rabbitmq-mgmt", "service_name": "rabbitmq-mgmt", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "19f03db33f2d47b724ba2245656928e4e00e753c", "protocol_details": { "port": 15672, "service": "rabbitmq-mgmt", "service_label_fr": "RabbitMQ Management" }, "attack_vector": "port scan syn \u00b7 via RabbitMQ Management:15672 \u00b7 (reconnaissance)", "target_port_label": "15672 \u00b7 RabbitMQ Management", "emulator_service": "rabbitmq-mgmt", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RabbitMQ Management \u2014 multi-protocole (37 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rabbitmq-mgmt", "service_label_fr": "RabbitMQ Management", "dst_port": 15672, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rabbitmq-mgmt", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 15672, "service": "rabbitmq-mgmt", "service_label_fr": "RabbitMQ Management" }, "attack_vector": "port scan syn \u00b7 via RabbitMQ Management:15672 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "15672 \u00b7 RabbitMQ Management", "emulator_service": "rabbitmq-mgmt", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rabbitmq_mgmt", "service_banner": "honeypot-rabbitmq-mgmt", "service_os": "linux", "dst_port": "15672" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 40, "port_scan_ports_sample": [ 21, 22, 23, 445, 873, 1433, 1883, 2049, 2375, 2376, 3306, 3389, 5000, 5432, 5672, 5900 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 29, "scan_velocity_ports_per_s": 23.66, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "iot", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 37, "multi_protocol_sample": [ "amqp", "cassandra", "docker", "docker-tls", "elasticsearch", "flask-http", "ftp", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "rabbitmq_mgmt_emulated" ] }
13/06/2026 18:13:39 UTC	TCP	5432 · POSTGRES	postgres	Scan de ports port scan syn · via POSTGRES:5432 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Handshake PostgreSQL (startup) Émulateur POSTGRES WAF — Recommandation Surveiller Tags net_port_scan_fast postgres_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5432 Chemin / cible — Service POSTGRES Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +19 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "postgres", "app_proto": "postgres", "asn": 8796, "country": "SC", "dst_port": 5432, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "fae171d2686c21d2365e42b670c4e325d545c8fb", "event_fingerprint": "5302d14dbea4b63204d1ed61b172d5e31032aca7", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 19 }, "named_classification_skipped": false, "service_name": "postgres", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 5432, "service": "postgres", "service_name": "postgres", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f39fb762a65e1532e875ff2e3db0f67358cb62ef", "protocol_details": { "postgres_startup_fr": "Handshake PostgreSQL (startup)", "port": 5432, "service": "postgres", "service_label_fr": "POSTGRES" }, "attack_vector": "port scan syn \u00b7 via POSTGRES:5432 \u00b7 (reconnaissance)", "target_port_label": "5432 \u00b7 POSTGRES", "emulator_service": "postgres", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via POSTGRES \u2014 multi-protocole (12 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 19 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "postgres", "service_label_fr": "POSTGRES", "dst_port": 5432, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "PostgreSQL 15.4", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +19", "protocol_details": { "postgres_startup_fr": "Handshake PostgreSQL (startup)", "port": 5432, "service": "postgres", "service_label_fr": "POSTGRES" }, "attack_vector": "port scan syn \u00b7 via POSTGRES:5432 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "5432 \u00b7 POSTGRES", "emulator_service": "postgres", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "postgres", "service_banner": "PostgreSQL 15.4", "service_os": "linux", "dst_port": "5432" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 1433, 2375, 2376, 5432, 5900, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 12, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "http", "https", "kubelet", "memcached", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 19, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "postgres_emulated" ] }
13/06/2026 18:13:39 UTC	TCP	3306 · MYSQL	mysql	Scan de ports port scan syn · via MYSQL:3306 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MYSQL WAF — Recommandation Surveiller Tags mysql_emulated mysql_handshake net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3306 Chemin / cible — Service MYSQL Pourquoi cette classification : Poignée de main MySQL · confiance 100% Confiance classification 100% Corrélation +19 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "380000000a382e302e33322d4d7953514c0004030201112233445566778899aabbccddeeff006d7973716c5f6e61746976655f70617373776f726400", "emulator_response_len": 60, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "mysql", "app_proto": "mysql", "asn": 8796, "country": "SC", "dst_port": 3306, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d33e704b19d7020f09cde303c282ef568fca0398", "event_fingerprint": "fc636b2a9fe65cd127101ef17af779a5183b0a0c", "classification_reason": "Poign\u00e9e de main MySQL \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 19 }, "named_classification_skipped": false, "service_name": "mysql", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3306, "service": "mysql", "service_name": "mysql", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "81b707694027c788b580a508f840ce4fd2b6775a", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Poign\u00e9e de main MySQL \u00b7 confiance 100%", "classification_reason_label_fr": "Poign\u00e9e de main MySQL \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MYSQL \u2014 multi-protocole (13 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 19 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mysql", "service_label_fr": "MYSQL", "dst_port": 3306, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "8.0.32-MySQL", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +19", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mysql", "service_banner": "8.0.32-MySQL", "service_os": "linux", "dst_port": "3306" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 13, "port_scan_ports_sample": [ 1433, 2375, 2376, 3306, 5432, 5900, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 13, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "http", "https", "kubelet", "memcached", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 19, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mysql_emulated", "mysql_handshake", "net_port_scan_fast" ] }
13/06/2026 18:13:39 UTC	TCP	22 · SSH	ssh	Scan de ports port scan syn · via SSH:22 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur SSH WAF — Recommandation Surveiller Tags net_bruteforce_burst net_port_scan_fast ssh_banner_grab ssh_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Service SSH Pourquoi cette classification : Bannière client SSH reçue · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a", "emulator_response_len": 41, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "FASTNET DATA INC", "service": "ssh", "app_proto": "ssh", "asn": 8796, "country": "SC", "dst_port": 22, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a9b517824c94778e6748155f74784f3a93add744", "event_fingerprint": "b4929bf32779aefad610d20ae581619a267ba9f6", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 22, "service": "ssh", "service_name": "ssh", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87e0ca97b7bdc4227f7650f13d3e74f6532996ff", "protocol_details": { "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "port scan syn \u00b7 via SSH:22 \u00b7 (reconnaissance)", "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH \u2014 multi-protocole (14 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 22, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 22, "service": "ssh", "service_label_fr": "SSH" }, "attack_vector": "port scan syn \u00b7 via SSH:22 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "22 \u00b7 SSH", "emulator_service": "ssh", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "22" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 14, "port_scan_ports_sample": [ 22, 1433, 2375, 2376, 3306, 5432, 5900, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 30, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 14, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "http", "https", "kubelet", "memcached", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_port_scan_fast", "ssh_banner_grab", "ssh_emulated" ] }
13/06/2026 18:13:39 UTC	TCP	3389 · RDP	rdp	Scan de ports port scan syn · via RDP:3389 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur RDP WAF — Recommandation Surveiller Tags net_port_scan_fast rdp_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3389 Chemin / cible — Service RDP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "FASTNET DATA INC", "service": "rdp", "app_proto": "rdp", "asn": 8796, "country": "SC", "dst_port": 3389, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "3e883454a29ace2a688535dc2bc3e66adc65508d", "event_fingerprint": "e363e414733e6c4de1b1bc87369dc66f1f76c868", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "rdp", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "SC", "asn": 8796, "org": "FASTNET DATA INC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3389, "service": "rdp", "service_name": "rdp", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6afe41ca5be6597013e0c45ff6276a5b8c62e579", "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "port scan syn \u00b7 via RDP:3389 \u00b7 (reconnaissance)", "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RDP \u2014 multi-protocole (15 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rdp", "service_label_fr": "RDP", "dst_port": 3389, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Windows RDP", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "port": 3389, "service": "rdp", "service_label_fr": "RDP" }, "attack_vector": "port scan syn \u00b7 via RDP:3389 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "3389 \u00b7 RDP", "emulator_service": "rdp", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rdp", "service_banner": "Windows RDP", "service_os": "windows", "dst_port": "3389" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 15, "port_scan_ports_sample": [ 22, 1433, 2375, 2376, 3306, 3389, 5432, 5900, 6379, 8080, 8443, 9200, 10250, 11211, 27017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 40, "multi_category_scan": true, "scan_category_diversity": [ "cloud", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 15, "multi_protocol_sample": [ "docker", "docker-tls", "elasticsearch", "http", "https", "kubelet", "memcached", "mongodb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "rdp_emulated" ] }

45.207.205.45

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence