{"ip":"50.116.17.136","exported_at":"2026-07-19T19:04:20+00:00","period_days":30,"metrics":{"events7d":45,"distinct_ports":3,"distinct_classifications":17,"max_severity":6,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":52,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":0,"risk_breakdown":{"waf":8,"classification":32,"behavior":0,"geo":40,"protocol":30,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":43,"executive_one_liner_fr":"Activit\u00e9 suspecte","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":32,"behavior":0,"geo":40,"protocol":30,"novelty":0,"risk_score":24},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":0,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":[],"tags_summary":[],"attack_vector":"pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"\u0001I20100","port":1723,"service":"pptp","service_label_fr":"PPTP"},"protocol_summary_fr":"Payload \u0001I20100 \u00b7 PPTP:1723","evidence_snippet":"I20100","target_port_label":"1723 \u00b7 PPTP","emulator_service":"pptp","confidence_reason":"Confiance 0 % \u2014 3 signal(aux) capteur","classification_reason":"Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%","classification_reason_label_fr":"Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%","confidence_factors_fr":null,"payload_preview":"I20100"},"events":[{"id":12826543,"ip":"50.116.17.136","ts":"2026-07-19 02:17:23.000000","proto":"tcp","src_port":47806,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 5, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228855508aade16ec573d21e6a485dfd0a\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222d4ddbdc1953373c0281f968f8b0651995e50362\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":5},{"id":12826544,"ip":"50.116.17.136","ts":"2026-07-19 02:17:23.000000","proto":"tcp","src_port":47822,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 8, \u0022payload_entropy\u0022: 2.4056390622295662, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002239fea238df890c005706b34a9316349a\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 24}, \u0022payload_preview\u0022: \u0022\\u0001I20100\\n\u0022, \u0022request_sample\u0022: \u0022\\u0001I20100\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u0001I20100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0001I20100\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u0001I20100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022edbbfb4c7d709b939e1275b841246a5ce23b6208\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001I20100\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022I20100\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001I20100\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022I20100\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":8},{"id":12826539,"ip":"50.116.17.136","ts":"2026-07-19 02:17:22.000000","proto":"tcp","src_port":47762,"dst_port":1723,"service":"pptp","classification":"smb_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 24, \u0022payload_entropy\u0022: 1.0238995733215064, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0354\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0354\u0022], \u0022matched_patterns\u0022: [\u0022pat-0354\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SMB negotiate\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0354\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b54520be3d454f6926b094aac799ac34\u0022, \u0022path_pattern_hash\u0022: \u0022b6c073dc229e6284b4cae7886c46d504\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\b\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\b\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\b\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\b\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\b\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225facca79cbd9305e6e2c3f5a61bf267d0e7c65c7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\b\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022smb probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0354\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0354\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\b\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022smb probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":24},{"id":12826540,"ip":"50.116.17.136","ts":"2026-07-19 02:17:22.000000","proto":"tcp","src_port":47776,"dst_port":1723,"service":"pptp","classification":"tor_exit_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 4.322879559217196, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a9f6ba3e4a2b5c31c66f3d640d990c1763bea155\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%\u0022, \u0022confidence\u0022: 0.46, \u0022classification_confidence\u0022: 0.46, \u0022precision_score\u0022: 55, \u0022precision_signals\u0022: [\u0022INT-TOR-exit-hint\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-TOR-exit-hint\u0022], \u0022matched_patterns\u0022: [\u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 46.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c3b76b5602952ca3d678868a2a4dc525\u0022, \u0022path_pattern_hash\u0022: \u0022d2d40d620e587c49ef0af866b893b1d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000_@\\u0000\\u00017\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000InitiatorName=iqn.1991-05.com.microsoft:beio-iscsi-probe\\u0000SessionType=Discovery\\u0000A\u0022, \u0022request_sample\u0022: \u0022\\u0003\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000_@\\u0000\\u00017\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000InitiatorName=iqn.1991-05.com.microsoft:beio-iscsi-probe\\u0000SessionType=Discovery\\u0000AuthMethod=None\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000_@\\u0000\\u00017\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000InitiatorName=iqn.1991-05.com.microsoft:beio-iscsi-probe\\u0000SessionType=Discovery\\u0000A\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000_@\\u0000\\u00017\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000InitiatorName=iqn.1991-05.com.microsoft:beio-iscsi-probe\\u0000SessionType=Discovery\\u0000AuthMethod=None\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000_@\\u0000\\u00017\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000InitiatorName=iqn.1991-05.com.microsoft:beio-iscsi-probe\\u0000SessionType=Discovery\\u0000A\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002236bf43a507b894feab233d4df5a912a0cfcb89f5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000_@\\u0000\\u00017\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000InitiatorName=iqn.1991-05.com.microsoft:beio-iscsi-probe\\u0000SessionType=Discovery\\u0000A\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd_@7InitiatorName=iqn.1991-05.com.microsoft:beio-iscsi-probeSessionType=DiscoveryA\u0022, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via PPTP:1723 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 46 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 35\/100 (Faible) \u2014 MITRE TA0011 \u2014 confiance 46 % \u2014 via PPTP\u0022, \u0022confidence_pct\u0022: 46, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-TOR-exit-hint\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Tor Exit Hint\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000_@\\u0000\\u00017\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000InitiatorName=iqn.1991-05.com.microsoft:beio-iscsi-probe\\u0000SessionType=Discovery\\u0000A\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via PPTP:1723 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd_@7InitiatorName=iqn.1991-05.com.microsoft:beio-iscsi-probeSessionType=DiscoveryA\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 46 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 46 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022, \u0022tor_exit_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022, \u0022tor_exit_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":144},{"id":12826541,"ip":"50.116.17.136","ts":"2026-07-19 02:17:22.000000","proto":"tcp","src_port":47778,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 211, \u0022payload_entropy\u0022: 3.723542292143943, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0577\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222b2f0f60ab534853bdae51b3f2504307\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0001\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0001\\u0000\\u0000ANY-SCP\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000FINDSCU\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0010\\u0000\\u0000\\u00151.2.840.10008.3.1.1.1 \\u0000\\u0000.\\u0001\\u0000\\u0000\\u00000\\u0000\\u0000\\u00111.2.840.10008.1.1\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0001\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0001\\u0000\\u0000ANY-SCP\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000FINDSCU\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0010\\u0000\\u0000\\u00151.2.840.10008.3.1.1.1 \\u0000\\u0000.\\u0001\\u0000\\u0000\\u00000\\u0000\\u0000\\u00111.2.840.10008.1.1@\\u0000\\u0000\\u00111.2.840.10008.1.2P\\u0000\\u0000:Q\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000R\\u0000\\u0000\\u001e1.2.826.0.1.3680043.2.1396.999U\\u0000\\u0000\\fCharruaVista\u0022, \u0022payload_snippet\u0022: \u0022\\u0001\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0001\\u0000\\u0000ANY-SCP\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000FINDSCU\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0010\\u0000\\u0000\\u00151.2.840.10008.3.1.1.1 \\u0000\\u0000.\\u0001\\u0000\\u0000\\u00000\\u0000\\u0000\\u00111.2.840.10008.1.1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002258e6929244f82027fa56563c2cfc1c278cf54a7d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0001\\u0000\\u0000ANY-SCP\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000FINDSCU\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0010\\u0000\\u0000\\u00151.2.840.10008.3.1.1.1 \\u0000\\u0000.\\u0001\\u0000\\u0000\\u00000\\u0000\\u0000\\u00111.2.840.10008.1.1\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdANY-SCPFINDSCU1.2.840.10008.3.1.1.1 .01.2.840.10008.1.1\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0577\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0577\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0001\\u0000\\u0000ANY-SCP\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000FINDSCU\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0010\\u0000\\u0000\\u00151.2.840.10008.3.1.1.1 \\u0000\\u0000.\\u0001\\u0000\\u0000\\u00000\\u0000\\u0000\\u00111.2.840.10008.1.1\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdANY-SCPFINDSCU1.2.840.10008.3.1.1.1 .01.2.840.10008.1.1\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":211},{"id":12826542,"ip":"50.116.17.136","ts":"2026-07-19 02:17:22.000000","proto":"tcp","src_port":47790,"dst_port":1723,"service":"pptp","classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 51, \u0022payload_entropy\u0022: 4.135751247023955, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a9f6ba3e4a2b5c31c66f3d640d990c1763bea155\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c95ff23a3feaef89ab3569b251ff78d\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administrator\\r\\n\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administrator\\r\\n\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administrator\\r\\n\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administrator\\r\\n\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administrator\\r\\n\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b8165daccccfa0ded1170eeff0b706e6d524f4f8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administrator\\r\\n\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022,\u0027\ufffdCookie: mstshash=Administrator\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via PPTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000,\u0027\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administrator\\r\\n\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022,\u0027\ufffdCookie: mstshash=Administrator\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022, \u0022tor_exit_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022, \u0022tor_exit_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":51},{"id":12826535,"ip":"50.116.17.136","ts":"2026-07-19 02:17:21.000000","proto":"tcp","src_port":47724,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 18, \u0022payload_entropy\u0022: 1.2086489509530647, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0532\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022817773a4a3987fc7642ff30928d792fc\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002281e6f2d933c9afd8aae7a48db1b76203a59ba609\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0532\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0532\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":18},{"id":12826536,"ip":"50.116.17.136","ts":"2026-07-19 02:17:21.000000","proto":"tcp","src_port":47736,"dst_port":1723,"service":"pptp","classification":"websphere_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 48, \u0022payload_entropy\u0022: 2.5723387961875535, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022confidence\u0022: 0.47, \u0022classification_confidence\u0022: 0.47, \u0022precision_score\u0022: 56, \u0022precision_signals\u0022: [\u0022pat-0605\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0605\u0022], \u0022matched_patterns\u0022: [\u0022pat-0605\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022GIOP WebSphere IIOP\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0605\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 47.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a2295e3d24182f08220a2dae2c40ff1c\u0022, \u0022path_pattern_hash\u0022: \u0022a8ef247ba3612b90c1c670387b185e85\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022, \u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226e9c87ab3117c4c7ffc95f9efcec32cbd34be2d3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022GIOP$abcdefget\u0022, \u0022attack_vector\u0022: \u0022websphere probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 47, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0605\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0605\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022websphere probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GIOP$abcdefget\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 47 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":48},{"id":12826537,"ip":"50.116.17.136","ts":"2026-07-19 02:17:21.000000","proto":"tcp","src_port":47740,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 16, \u0022payload_entropy\u0022: 3.0306390622295662, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e522ef50a429f4fc944717d334d0c486\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0000\\u000e87\ufffd\u0026\\b\ufffd\\u001b\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u000e87\ufffd\u0026\\b\ufffd\\u001b\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u000e87\ufffd\u0026\\b\ufffd\\u001b\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u000e87\ufffd\u0026\\b\ufffd\\u001b\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u000e87\ufffd\u0026\\b\ufffd\\u001b\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bfb92b9274a58cf9d53865b736951a49b642db46\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u000e87\ufffd\u0026\\b\ufffd\\u001b\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u002287\ufffd\u0026\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u000e87\ufffd\u0026\\b\ufffd\\u001b\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u002287\ufffd\u0026\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":16},{"id":12826538,"ip":"50.116.17.136","ts":"2026-07-19 02:17:21.000000","proto":"tcp","src_port":47750,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 2380, \u0022payload_entropy\u0022: 4.684268227684846, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224e59b427ee6488faa8803fa276e99d84\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0010\\u0000\\u0003\\u0000LIORL\\t\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000c\ufffd\ufffdd\\u0001\\u0000\\u0000\\u0000\\u0001\\u001c \\u0002`\\u0000h\\u0000t\\u0000t\\u0000p\\u0000:\\u0000\/\\u0000\/\\u00001\\u00009\\u00002\\u0000.\\u00001\\u00006\\u00008\\u0000.\\u00001\\u00000\\u0000.\\u00001\\u00000\\u00000\\u0000\/\\u0000m\\u0000s\\u0000m\\u0000q\\u0000\/\\u0000p\\u0000r\\u0000i\\u0000v\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0010\\u0000\\u0003\\u0000LIORL\\t\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000c\ufffd\ufffdd\\u0001\\u0000\\u0000\\u0000\\u0001\\u001c \\u0002`\\u0000h\\u0000t\\u0000t\\u0000p\\u0000:\\u0000\/\\u0000\/\\u00001\\u00009\\u00002\\u0000.\\u00001\\u00006\\u00008\\u0000.\\u00001\\u00000\\u0000.\\u00001\\u00000\\u00000\\u0000\/\\u0000m\\u0000s\\u0000m\\u0000q\\u0000\/\\u0000p\\u0000r\\u0000i\\u0000v\\u0000a\\u0000t\\u0000e\\u0000$\\u0000\/\\u0000q\\u0000u\\u0000e\\u0000u\\u0000e\\u0000j\\u0000u\\u0000m\\u0000p\\u0000e\\u0000r\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000p\\u0000o\\u0000c\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001b\\u0002\\u0000\\u0000\u003C\\u0000s\\u0000e\\u0000:\\u0000E\\u0000n\\u0000v\\u0000e\\u0000l\\u0000o\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0000\\u0003\\u0000LIORL\\t\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000c\ufffd\ufffdd\\u0001\\u0000\\u0000\\u0000\\u0001\\u001c \\u0002`\\u0000h\\u0000t\\u0000t\\u0000p\\u0000:\\u0000\/\\u0000\/\\u00001\\u00009\\u00002\\u0000.\\u00001\\u00006\\u00008\\u0000.\\u00001\\u00000\\u0000.\\u00001\\u00000\\u00000\\u0000\/\\u0000m\\u0000s\\u0000m\\u0000q\\u0000\/\\u0000p\\u0000r\\u0000i\\u0000v\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ef676bab6e658db1a56a770a3741ec834257c52c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0000\\u0003\\u0000LIORL\\t\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000c\ufffd\ufffdd\\u0001\\u0000\\u0000\\u0000\\u0001\\u001c \\u0002`\\u0000h\\u0000t\\u0000t\\u0000p\\u0000:\\u0000\/\\u0000\/\\u00001\\u00009\\u00002\\u0000.\\u00001\\u00006\\u00008\\u0000.\\u00001\\u00000\\u0000.\\u00001\\u00000\\u00000\\u0000\/\\u0000m\\u0000s\\u0000m\\u0000q\\u0000\/\\u0000p\\u0000r\\u0000i\\u0000v\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022LIORL\\t\ufffd\ufffd\ufffd\ufffdc\ufffd\ufffdd `http:\/\/192.168.10.100\/msmq\/priv\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0000\\u0003\\u0000LIORL\\t\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000c\ufffd\ufffdd\\u0001\\u0000\\u0000\\u0000\\u0001\\u001c \\u0002`\\u0000h\\u0000t\\u0000t\\u0000p\\u0000:\\u0000\/\\u0000\/\\u00001\\u00009\\u00002\\u0000.\\u00001\\u00006\\u00008\\u0000.\\u00001\\u00000\\u0000.\\u00001\\u00000\\u00000\\u0000\/\\u0000m\\u0000s\\u0000m\\u0000q\\u0000\/\\u0000p\\u0000r\\u0000i\\u0000v\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022LIORL\\t\ufffd\ufffd\ufffd\ufffdc\ufffd\ufffdd `http:\/\/192.168.10.100\/msmq\/priv\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":2380},{"id":12826531,"ip":"50.116.17.136","ts":"2026-07-19 02:17:20.000000","proto":"tcp","src_port":54046,"dst_port":1723,"service":"pptp","classification":"kafka_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 151, \u0022payload_entropy\u0022: 2.9394053309596297, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022confidence\u0022: 0.47, \u0022classification_confidence\u0022: 0.47, \u0022precision_score\u0022: 56, \u0022precision_signals\u0022: [\u0022pat-0556\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0556\u0022], \u0022matched_patterns\u0022: [\u0022pat-0556\u0022, \u0022pat-0577\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022, \u0022pat-0623\u0022], \u0022matched_pattern_names\u0022: [\u0022Kafka ApiVersions key\u0022, \u0022RADIUS Access-Request\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022, \u0022WireGuard handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0556\u0022, \u0022pat-0577\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022, \u0022pat-0623\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 47.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002240d2dbc3799fc4c078b732b44566c778\u0022, \u0022path_pattern_hash\u0022: \u0022369bfdf011acc5969bcb68a7ffd2ca13\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u000b\ufffd\ufffd\\u0000\\u0000\\u0000MMS\\u0014\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0001\\u0000\\u0003\\u0000\ufffd\ufffd\ufffd\ufffd\\u000b\\u0000\\u0004\\u0000\\u001c\\u0000\\u0003\\u0000N\\u0000S\\u0000P\\u0000l\\u0000a\\u0000y\\u0000e\\u0000r\\u0000\/\\u00009\\u0000.\\u0000\\u0000.\\u0000\\u0000.\\u0002\\u00009\\u00008\\u0000\\u0000;\\u0000 \\u0000{\\u0000\\u0000\\u0000\\u0000\\u0000A\\u0000A\\u0000\\u0000\\u0000-\\u0000\\u0000A\\u0000\\u0000\\u0000-\\u0000\\u0000\\u0000a\\u0000\\u0000-\\u0000A\\u0000A\\u0000\\u0000A\\u0000-\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u000b\ufffd\ufffd\\u0000\\u0000\\u0000MMS\\u0014\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0001\\u0000\\u0003\\u0000\ufffd\ufffd\ufffd\ufffd\\u000b\\u0000\\u0004\\u0000\\u001c\\u0000\\u0003\\u0000N\\u0000S\\u0000P\\u0000l\\u0000a\\u0000y\\u0000e\\u0000r\\u0000\/\\u00009\\u0000.\\u0000\\u0000.\\u0000\\u0000.\\u0002\\u00009\\u00008\\u0000\\u0000;\\u0000 \\u0000{\\u0000\\u0000\\u0000\\u0000\\u0000A\\u0000A\\u0000\\u0000\\u0000-\\u0000\\u0000A\\u0000\\u0000\\u0000-\\u0000\\u0000\\u0000a\\u0000\\u0000-\\u0000A\\u0000A\\u0000\\u0000A\\u0000-\\u0000\\u0000\\u0000\\u0000\\u0000A\\u0000\\u0000A\\u0000A\\u0000\\u0000A\\u0000A\\u0000\\u0000}\\u0000\\u0000\\u0000\ufffdm\ufffd_\u0022, \u0022payload_snippet\u0022: \u0022\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u000b\ufffd\ufffd\\u0000\\u0000\\u0000MMS\\u0014\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0001\\u0000\\u0003\\u0000\ufffd\ufffd\ufffd\ufffd\\u000b\\u0000\\u0004\\u0000\\u001c\\u0000\\u0003\\u0000N\\u0000S\\u0000P\\u0000l\\u0000a\\u0000y\\u0000e\\u0000r\\u0000\/\\u00009\\u0000.\\u0000\\u0000.\\u0000\\u0000.\\u0002\\u00009\\u00008\\u0000\\u0000;\\u0000 \\u0000{\\u0000\\u0000\\u0000\\u0000\\u0000A\\u0000A\\u0000\\u0000\\u0000-\\u0000\\u0000A\\u0000\\u0000\\u0000-\\u0000\\u0000\\u0000a\\u0000\\u0000-\\u0000A\\u0000A\\u0000\\u0000A\\u0000-\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c78777423a82ea1f44298ed3e054d16a087b243f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u000b\ufffd\ufffd\\u0000\\u0000\\u0000MMS\\u0014\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0001\\u0000\\u0003\\u0000\ufffd\ufffd\ufffd\ufffd\\u000b\\u0000\\u0004\\u0000\\u001c\\u0000\\u0003\\u0000N\\u0000S\\u0000P\\u0000l\\u0000a\\u0000y\\u0000e\\u0000r\\u0000\/\\u00009\\u0000.\\u0000\\u0000.\\u0000\\u0000.\\u0002\\u00009\\u00008\\u0000\\u0000;\\u0000 \\u0000{\\u0000\\u0000\\u0000\\u0000\\u0000A\\u0000A\\u0000\\u0000\\u0000-\\u0000\\u0000A\\u0000\\u0000\\u0000-\\u0000\\u0000\\u0000a\\u0000\\u0000-\\u0000A\\u0000A\\u0000\\u0000A\\u0000-\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffdMMS\ufffd\ufffd\ufffd\ufffdNSPlayer\/9...98; {AA-A-a-AAA-\u0022, \u0022attack_vector\u0022: \u0022kafka probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 47, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0556\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0556\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u000b\ufffd\ufffd\\u0000\\u0000\\u0000MMS\\u0014\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0001\\u0000\\u0003\\u0000\ufffd\ufffd\ufffd\ufffd\\u000b\\u0000\\u0004\\u0000\\u001c\\u0000\\u0003\\u0000N\\u0000S\\u0000P\\u0000l\\u0000a\\u0000y\\u0000e\\u0000r\\u0000\/\\u00009\\u0000.\\u0000\\u0000.\\u0000\\u0000.\\u0002\\u00009\\u00008\\u0000\\u0000;\\u0000 \\u0000{\\u0000\\u0000\\u0000\\u0000\\u0000A\\u0000A\\u0000\\u0000\\u0000-\\u0000\\u0000A\\u0000\\u0000\\u0000-\\u0000\\u0000\\u0000a\\u0000\\u0000-\\u0000A\\u0000A\\u0000\\u0000A\\u0000-\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022kafka probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffdMMS\ufffd\ufffd\ufffd\ufffdNSPlayer\/9...98; {AA-A-a-AAA-\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 47 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":151},{"id":12826533,"ip":"50.116.17.136","ts":"2026-07-19 02:17:20.000000","proto":"tcp","src_port":54052,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 89, \u0022payload_entropy\u0022: 3.590885939096492, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e6ee9d885892cc379640f5aecf8397b8\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022request_sample\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022payload_snippet\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022payload_snippet\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f6688acf2ff423f91164cc133a328a3fc318fbb3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022Z6,\ufffd :\ufffd(CONNECT_DATA=(COMMAND=version))\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022Z6,\ufffd :\ufffd(CONNECT_DATA=(COMMAND=version))\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":89},{"id":12826534,"ip":"50.116.17.136","ts":"2026-07-19 02:17:20.000000","proto":"tcp","src_port":54060,"dst_port":1723,"service":"pptp","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 52, \u0022payload_entropy\u0022: 3.604409845438833, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022afb7563388db612913bdc0ece6e1eb0fc2b19b8c\u0022, \u0022event_fingerprint\u0022: \u00227c1f9591e307bcecf7b1779ad3cb12735200cea3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002223edc99bdfe5fe902f5ff28aa98ef130\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f0415e7fc44fb5a907dd474ce305bfad871872d2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u00224(\ufffdUMSSQLServerH\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00224(\ufffdUMSSQLServerH\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":52},{"id":12826526,"ip":"50.116.17.136","ts":"2026-07-19 02:17:19.000000","proto":"tcp","src_port":54022,"dst_port":1723,"service":"pptp","classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 11, \u0022payload_entropy\u0022: 1.6729330318733675, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0348\u0022, \u0022pat-0352\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0352\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0352\u0022, \u0022pat-0868\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022RDP negotiation\u0022, \u0022ET H.323 setup\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0352\u0022, \u0022pat-0868\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226771a78868614c6768349c36da4591da\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022609211cf65da28984f61b704acf467d3bdee3723\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via PPTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022, \u0022pat-0352\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022, \u0022pat-0352\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":11},{"id":12826527,"ip":"50.116.17.136","ts":"2026-07-19 02:17:19.000000","proto":"tcp","src_port":54028,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 23, \u0022payload_entropy\u0022: 2.6081816167087406, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022947f08e762562490af13d3254ff011a6\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022request_sample\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022payload_snippet\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022payload_snippet\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022980447686df06a1c40542e8f2288a152dfa1a56b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022DmdT\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DmdT\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":23},{"id":12826529,"ip":"50.116.17.136","ts":"2026-07-19 02:17:19.000000","proto":"tcp","src_port":54032,"dst_port":1723,"service":"pptp","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 1.3389205950315934, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 33, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002212a1d0fd985fdedc5bd4fa03702a0ea60ff26ad9\u0022, \u0022event_fingerprint\u0022: \u0022fdc5f2a7f5ee5f4fe9b1ace246db8b970a5d64ed\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 80%\u0022, \u0022confidence\u0022: 0.8, \u0022classification_confidence\u0022: 0.8, \u0022precision_score\u0022: 90, \u0022precision_signals\u0022: [\u0022ET-PROTO-MongoDB-Wire\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022ET-PROTO-MongoDB-Wire\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 33}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 80.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f60433e5ca098d6d06ab4b829e9f35c4\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 33}, \u0022payload_preview\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 80%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e263d382a4e63e56110ace003d6c0f4b984bccae\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022:\/@=\/@\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 80 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 80%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 80%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 33\/100\u0022, \u0022confidence_pct\u0022: 80, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 33}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 33, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022ET-PROTO-MongoDB-Wire\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022ET-PROTO-MongoDB-Wire\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022:\/@=\/@\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 80 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 80 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_wire_protocol\u0022, \u0022net_mongodb_wire_protocol\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022, \u0022rdp_cookie_alt\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_wire_protocol\u0022, \u0022net_mongodb_wire_protocol\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022, \u0022rdp_cookie_alt\u0022]","anomalies":"[]","severity":6,"bytes_in":60},{"id":12826530,"ip":"50.116.17.136","ts":"2026-07-19 02:17:19.000000","proto":"tcp","src_port":54044,"dst_port":1723,"service":"pptp","classification":"java_rmi_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 7, \u0022payload_entropy\u0022: 2.807354922057604, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0604\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0604\u0022], \u0022matched_patterns\u0022: [\u0022pat-0604\u0022], \u0022matched_pattern_names\u0022: [\u0022Java RMI JRMI\u0022], \u0022pattern_ids\u0022: [\u0022pat-0604\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d8c49a0f759e2102fb8fa8368049d06a\u0022, \u0022path_pattern_hash\u0022: \u00227a566ca86213ccd15a91c0b5a885a24f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f4e3b6f3d713061fb1602a78d251be27fb99436b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022attack_vector\u0022: \u0022java rmi probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0604\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0604\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022java rmi probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":7},{"id":12826522,"ip":"50.116.17.136","ts":"2026-07-19 02:17:18.000000","proto":"tcp","src_port":53992,"dst_port":1723,"service":"pptp","classification":"ldap_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 2.9852281360342516, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab ldap_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0859\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0859\u0022], \u0022matched_patterns\u0022: [\u0022pat-0859\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022ET LDAP anon bind\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0859\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022548b3df94bdc85e8b94b0de75b5e0379\u0022, \u0022path_pattern_hash\u0022: \u002279ba87c92cce1f6abf5b6560fb8afdba\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab ldap_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022190214044fe33a3690607ff25e7ecd3ccf59e55e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u00220`\ufffd\u0022, \u0022attack_vector\u0022: \u0022ldap probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab ldap_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab ldap_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0859\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0859\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022ldap probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00220`\ufffd\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":14},{"id":12826524,"ip":"50.116.17.136","ts":"2026-07-19 02:17:18.000000","proto":"tcp","src_port":53994,"dst_port":1723,"service":"pptp","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 223, \u0022payload_entropy\u0022: 5.197167462839961, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022, \u0022pat-0420\u0022, \u0022pat-0535\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022SIP protocol\u0022, \u0022HTTP OPTIONS method\u0022, \u0022SIP OPTIONS\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022, \u0022pat-0420\u0022, \u0022pat-0535\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220712a7f81d9d033f2caa8a8a90bbc4a8\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42 \u0022, \u0022request_sample\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42 OPTIONS\\r\\nMax-Forwards: 70\\r\\nContent-Length: 0\\r\\nContact: \u003Csip:nm@nm\u003E\\r\\nAccept: application\/sdp\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42 OPTIONS\\r\\nMax-Forwards: 70\\r\\nContent-Length: 0\\r\\nContact: \u003Csip:nm@nm\u003E\\r\\nAccept: application\/sdp\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022147ea9876c2742146b38016542430f0578a43e3f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via PPTP:1723 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via PPTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via PPTP:1723 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":223},{"id":12826525,"ip":"50.116.17.136","ts":"2026-07-19 02:17:18.000000","proto":"tcp","src_port":54010,"dst_port":1723,"service":"pptp","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 16, \u0022payload_entropy\u0022: 2.5306390622295662, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224128f0bf8d86360e67d6f2d54987a8fb\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022request_sample\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022payload_snippet\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022payload_snippet\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225108266f117024506d86e93e5885626790f4f4a7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022TNMPTNME\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TNMPTNME\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":16},{"id":12826517,"ip":"50.116.17.136","ts":"2026-07-19 02:17:17.000000","proto":"tcp","src_port":53952,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 0.8166890883150209, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad33d13d6bc3bd05c9957f130811a989\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002275ab932868d2ac9a718589c606d17f62d4ae42a2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022l\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022l\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":12},{"id":12826519,"ip":"50.116.17.136","ts":"2026-07-19 02:17:17.000000","proto":"tcp","src_port":53960,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 53, \u0022payload_entropy\u0022: 4.704058897836964, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f90077b897efd13cca4affb87403fc752248aad8\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002208bd34a37b11f5c307f84418e0c2a579\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 24}, \u0022payload_preview\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229cd6552cef1ead97e592d7bee521a434cff35eaf\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":53},{"id":12826520,"ip":"50.116.17.136","ts":"2026-07-19 02:17:17.000000","proto":"tcp","src_port":53966,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 3.169925001442312, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0577\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002239b37e76df338b7381ea8bb116701c98\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0001default\\n\u0022, \u0022request_sample\u0022: \u0022\\u0001default\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u0001default\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0001default\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u0001default\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cae2016c9e30662871edd72c16d16f72ba9ced60\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001default\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022default\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0577\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0577\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001default\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022default\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":9},{"id":12826521,"ip":"50.116.17.136","ts":"2026-07-19 02:17:17.000000","proto":"tcp","src_port":53976,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 51, \u0022payload_entropy\u0022: 3.7946877264252636, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022edc124f1d34ba290330abcac2736b204\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022142fb7c3a739da3440fed479f28fe1646c242932\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u00220\ufffd-c\ufffd$\\n\\nd\ufffdobjectClass0\ufffd\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00220\ufffd-c\ufffd$\\n\\nd\ufffdobjectClass0\ufffd\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":51},{"id":12826514,"ip":"50.116.17.136","ts":"2026-07-19 02:17:16.000000","proto":"tcp","src_port":53928,"dst_port":1723,"service":"pptp","classification":"port_1723_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 110, \u0022payload_entropy\u0022: 4.269606220838881, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 41, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022649f5bc17e8f924044d127d497957e9af62e3e9e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_1723_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 41}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224ad5dce8143f2bcf1242885cff6e93f8\u0022, \u0022path_pattern_hash\u0022: \u0022217ebc4803b83a5ee0956277bd93a3ec\u0022, \u0022ja3\u0022: \u002216ee84a07b55074cb2751329bf1c8811\u0022, \u0022ja4\u0022: \u0022011b865e5f91ae5e1836c88110724dcb\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 6, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3_hash\u0022: \u002216ee84a07b55074cb2751329bf1c8811\u0022, \u0022tls_ja3\u0022: \u0022771,47-10-19-57-4-255,13,,\u0022, \u0022tls_ja4_hash\u0022: \u0022011b865e5f91ae5e1836c88110724dcb\u0022, \u0022tls_ja4\u0022: \u0022t13d0106_3fdba35f04dc_d03502c43d74\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 6, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 41}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0000\\u0000i\\u0001\\u0000\\u0000e\\u0003\\u0003U\\u001c\ufffd\ufffdrandom1random2random3random4\\u0000\\u0000\\f\\u0000\/\\u0000\\n\\u0000\\u0013\\u00009\\u0000\\u0004\\u0000\ufffd\\u0001\\u0000\\u00000\\u0000\\r\\u0000,\\u0000*\\u0000\\u0001\\u0000\\u0003\\u0000\\u0002\\u0006\\u0001\\u0006\\u0003\\u0006\\u0002\\u0002\\u0001\\u0002\\u0003\\u0002\\u0002\\u0003\\u0001\\u0003\\u0003\\u0003\\u0002\\u0004\\u0001\\u0004\\u0003\\u0004\\u0002\\u0001\\u0001\\u0001\\u0003\\u0001\\u0002\\u0005\\u0001\\u0005\\u0003\\u0005\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0000\\u0000i\\u0001\\u0000\\u0000e\\u0003\\u0003U\\u001c\ufffd\ufffdrandom1random2random3random4\\u0000\\u0000\\f\\u0000\/\\u0000\\n\\u0000\\u0013\\u00009\\u0000\\u0004\\u0000\ufffd\\u0001\\u0000\\u00000\\u0000\\r\\u0000,\\u0000*\\u0000\\u0001\\u0000\\u0003\\u0000\\u0002\\u0006\\u0001\\u0006\\u0003\\u0006\\u0002\\u0002\\u0001\\u0002\\u0003\\u0002\\u0002\\u0003\\u0001\\u0003\\u0003\\u0003\\u0002\\u0004\\u0001\\u0004\\u0003\\u0004\\u0002\\u0001\\u0001\\u0001\\u0003\\u0001\\u0002\\u0005\\u0001\\u0005\\u0003\\u0005\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0000\\u0000i\\u0001\\u0000\\u0000e\\u0003\\u0003U\\u001c\ufffd\ufffdrandom1random2random3random4\\u0000\\u0000\\f\\u0000\/\\u0000\\n\\u0000\\u0013\\u00009\\u0000\\u0004\\u0000\ufffd\\u0001\\u0000\\u00000\\u0000\\r\\u0000,\\u0000*\\u0000\\u0001\\u0000\\u0003\\u0000\\u0002\\u0006\\u0001\\u0006\\u0003\\u0006\\u0002\\u0002\\u0001\\u0002\\u0003\\u0002\\u0002\\u0003\\u0001\\u0003\\u0003\\u0003\\u0002\\u0004\\u0001\\u0004\\u0003\\u0004\\u0002\\u0001\\u0001\\u0001\\u0003\\u0001\\u0002\\u0005\\u0001\\u0005\\u0003\\u0005\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_1723_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225fbec9f921406ae42a82d79224a06bc21cc94cb5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0000\\u0000i\\u0001\\u0000\\u0000e\\u0003\\u0003U\\u001c\ufffd\ufffdrandom1random2random3random4\\u0000\\u0000\\f\\u0000\/\\u0000\\n\\u0000\\u0013\\u00009\\u0000\\u0004\\u0000\ufffd\\u0001\\u0000\\u00000\\u0000\\r\\u0000,\\u0000*\\u0000\\u0001\\u0000\\u0003\\u0000\\u0002\\u0006\\u0001\\u0006\\u0003\\u0006\\u0002\\u0002\\u0001\\u0002\\u0003\\u0002\\u0002\\u0003\\u0001\\u0003\\u0003\\u0003\\u0002\\u0004\\u0001\\u0004\\u0003\\u0004\\u0002\\u0001\\u0001\\u0001\\u0003\\u0001\\u0002\\u0005\\u0001\\u0005\\u0003\\u0005\\u0002\u0022, \u0022tls_ja3\u0022: \u002216ee84a07b55074cb2751329bf1c8811\u0022, \u0022tls_ja4\u0022: \u0022011b865e5f91ae5e1836c88110724dcb\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022ieU\ufffd\ufffdrandom1random2random3random4\/\\n9\ufffd0\\r,*\u0022, \u0022attack_vector\u0022: \u0022port 1723 tcp \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_1723_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_1723_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 41\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 41}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 41, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0000\\u0000i\\u0001\\u0000\\u0000e\\u0003\\u0003U\\u001c\ufffd\ufffdrandom1random2random3random4\\u0000\\u0000\\f\\u0000\/\\u0000\\n\\u0000\\u0013\\u00009\\u0000\\u0004\\u0000\ufffd\\u0001\\u0000\\u00000\\u0000\\r\\u0000,\\u0000*\\u0000\\u0001\\u0000\\u0003\\u0000\\u0002\\u0006\\u0001\\u0006\\u0003\\u0006\\u0002\\u0002\\u0001\\u0002\\u0003\\u0002\\u0002\\u0003\\u0001\\u0003\\u0003\\u0003\\u0002\\u0004\\u0001\\u0004\\u0003\\u0004\\u0002\\u0001\\u0001\\u0001\\u0003\\u0001\\u0002\\u0005\\u0001\\u0005\\u0003\\u0005\\u0002\u0022, \u0022tls_ja3\u0022: \u002216ee84a07b55074cb2751329bf1c8811\u0022, \u0022tls_ja4\u0022: \u0022011b865e5f91ae5e1836c88110724dcb\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022port 1723 tcp \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022ieU\ufffd\ufffdrandom1random2random3random4\/\\n9\ufffd0\\r,*\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":110},{"id":12826515,"ip":"50.116.17.136","ts":"2026-07-19 02:17:16.000000","proto":"tcp","src_port":53932,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 117, \u0022payload_entropy\u0022: 5.017384795565958, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cadb0423aaf435668f733a341f057883\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000qj\ufffdn0\ufffdk\ufffd\\u0003\\u0002\\u0001\\u0005\ufffd\\u0003\\u0002\\u0001\\n\ufffd\ufffd^0\\\\\ufffd\\u0007\\u0003\\u0005\\u0000P\ufffd\\u0000\\u0010\ufffd\\u0004\\u001b\\u0002NM\ufffd\\u00170\\u0015\ufffd\\u0003\\u0002\\u0001\\u0000\ufffd\\u000e0\\f\\u001b\\u0006krbtgt\\u001b\\u0002NM\ufffd\\u0011\\u0018\\u000f19700101000000Z\ufffd\\u0006\\u0002\\u0004\\u001f\\u001e\ufffd\u0668\\u00170\\u0015\\u0002\\u0001\\u0012\\u0002\\u0001\\u0011\\u0002\\u0001\\u0010\\u0002\\u0001\\u0017\\u0002\\u0001\\u0001\\u0002\\u0001\\u0003\\u0002\\u0001\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000qj\ufffdn0\ufffdk\ufffd\\u0003\\u0002\\u0001\\u0005\ufffd\\u0003\\u0002\\u0001\\n\ufffd\ufffd^0\\\\\ufffd\\u0007\\u0003\\u0005\\u0000P\ufffd\\u0000\\u0010\ufffd\\u0004\\u001b\\u0002NM\ufffd\\u00170\\u0015\ufffd\\u0003\\u0002\\u0001\\u0000\ufffd\\u000e0\\f\\u001b\\u0006krbtgt\\u001b\\u0002NM\ufffd\\u0011\\u0018\\u000f19700101000000Z\ufffd\\u0006\\u0002\\u0004\\u001f\\u001e\ufffd\u0668\\u00170\\u0015\\u0002\\u0001\\u0012\\u0002\\u0001\\u0011\\u0002\\u0001\\u0010\\u0002\\u0001\\u0017\\u0002\\u0001\\u0001\\u0002\\u0001\\u0003\\u0002\\u0001\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000qj\ufffdn0\ufffdk\ufffd\\u0003\\u0002\\u0001\\u0005\ufffd\\u0003\\u0002\\u0001\\n\ufffd\ufffd^0\\\\\ufffd\\u0007\\u0003\\u0005\\u0000P\ufffd\\u0000\\u0010\ufffd\\u0004\\u001b\\u0002NM\ufffd\\u00170\\u0015\ufffd\\u0003\\u0002\\u0001\\u0000\ufffd\\u000e0\\f\\u001b\\u0006krbtgt\\u001b\\u0002NM\ufffd\\u0011\\u0018\\u000f19700101000000Z\ufffd\\u0006\\u0002\\u0004\\u001f\\u001e\ufffd\u0668\\u00170\\u0015\\u0002\\u0001\\u0012\\u0002\\u0001\\u0011\\u0002\\u0001\\u0010\\u0002\\u0001\\u0017\\u0002\\u0001\\u0001\\u0002\\u0001\\u0003\\u0002\\u0001\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000qj\ufffdn0\ufffdk\ufffd\\u0003\\u0002\\u0001\\u0005\ufffd\\u0003\\u0002\\u0001\\n\ufffd\ufffd^0\\\\\ufffd\\u0007\\u0003\\u0005\\u0000P\ufffd\\u0000\\u0010\ufffd\\u0004\\u001b\\u0002NM\ufffd\\u00170\\u0015\ufffd\\u0003\\u0002\\u0001\\u0000\ufffd\\u000e0\\f\\u001b\\u0006krbtgt\\u001b\\u0002NM\ufffd\\u0011\\u0018\\u000f19700101000000Z\ufffd\\u0006\\u0002\\u0004\\u001f\\u001e\ufffd\u0668\\u00170\\u0015\\u0002\\u0001\\u0012\\u0002\\u0001\\u0011\\u0002\\u0001\\u0010\\u0002\\u0001\\u0017\\u0002\\u0001\\u0001\\u0002\\u0001\\u0003\\u0002\\u0001\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000qj\ufffdn0\ufffdk\ufffd\\u0003\\u0002\\u0001\\u0005\ufffd\\u0003\\u0002\\u0001\\n\ufffd\ufffd^0\\\\\ufffd\\u0007\\u0003\\u0005\\u0000P\ufffd\\u0000\\u0010\ufffd\\u0004\\u001b\\u0002NM\ufffd\\u00170\\u0015\ufffd\\u0003\\u0002\\u0001\\u0000\ufffd\\u000e0\\f\\u001b\\u0006krbtgt\\u001b\\u0002NM\ufffd\\u0011\\u0018\\u000f19700101000000Z\ufffd\\u0006\\u0002\\u0004\\u001f\\u001e\ufffd\u0668\\u00170\\u0015\\u0002\\u0001\\u0012\\u0002\\u0001\\u0011\\u0002\\u0001\\u0010\\u0002\\u0001\\u0017\\u0002\\u0001\\u0001\\u0002\\u0001\\u0003\\u0002\\u0001\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c86ac2572fa594119cf67ac922a0567169bd2efa\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000qj\ufffdn0\ufffdk\ufffd\\u0003\\u0002\\u0001\\u0005\ufffd\\u0003\\u0002\\u0001\\n\ufffd\ufffd^0\\\\\ufffd\\u0007\\u0003\\u0005\\u0000P\ufffd\\u0000\\u0010\ufffd\\u0004\\u001b\\u0002NM\ufffd\\u00170\\u0015\ufffd\\u0003\\u0002\\u0001\\u0000\ufffd\\u000e0\\f\\u001b\\u0006krbtgt\\u001b\\u0002NM\ufffd\\u0011\\u0018\\u000f19700101000000Z\ufffd\\u0006\\u0002\\u0004\\u001f\\u001e\ufffd\u0668\\u00170\\u0015\\u0002\\u0001\\u0012\\u0002\\u0001\\u0011\\u0002\\u0001\\u0010\\u0002\\u0001\\u0017\\u0002\\u0001\\u0001\\u0002\\u0001\\u0003\\u0002\\u0001\\u0002\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022qj\ufffdn0\ufffdk\ufffd\ufffd\\n\ufffd\ufffd^0\\\\\ufffdP\ufffd\ufffdNM\ufffd0\ufffd\ufffd0krbtgtNM\ufffd19700101000000Z\ufffd\ufffd\u06680\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000qj\ufffdn0\ufffdk\ufffd\\u0003\\u0002\\u0001\\u0005\ufffd\\u0003\\u0002\\u0001\\n\ufffd\ufffd^0\\\\\ufffd\\u0007\\u0003\\u0005\\u0000P\ufffd\\u0000\\u0010\ufffd\\u0004\\u001b\\u0002NM\ufffd\\u00170\\u0015\ufffd\\u0003\\u0002\\u0001\\u0000\ufffd\\u000e0\\f\\u001b\\u0006krbtgt\\u001b\\u0002NM\ufffd\\u0011\\u0018\\u000f19700101000000Z\ufffd\\u0006\\u0002\\u0004\\u001f\\u001e\ufffd\u0668\\u00170\\u0015\\u0002\\u0001\\u0012\\u0002\\u0001\\u0011\\u0002\\u0001\\u0010\\u0002\\u0001\\u0017\\u0002\\u0001\\u0001\\u0002\\u0001\\u0003\\u0002\\u0001\\u0002\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022qj\ufffdn0\ufffdk\ufffd\ufffd\\n\ufffd\ufffd^0\\\\\ufffdP\ufffd\ufffdNM\ufffd0\ufffd\ufffd0krbtgtNM\ufffd19700101000000Z\ufffd\ufffd\u06680\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":117},{"id":12826516,"ip":"50.116.17.136","ts":"2026-07-19 02:17:16.000000","proto":"tcp","src_port":53940,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 168, \u0022payload_entropy\u0022: 4.517824025292926, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c8b954e7bc1bc076c8d1bd64820e67f\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002Samba\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002Samba\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022016a4571e705cd5eae66a1af0f9c800b7d2c1ba5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdSMBr@@\ufffdPC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdSMBr@@\ufffdPC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":168},{"id":12826510,"ip":"50.116.17.136","ts":"2026-07-19 02:17:15.000000","proto":"tcp","src_port":53892,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 0.7345299214394703, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224e22f28763980c307f0449194c0e0a42\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0000\\f\\u0000\\u0000\\u0010\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\f\\u0000\\u0000\\u0010\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\f\\u0000\\u0000\\u0010\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\f\\u0000\\u0000\\u0010\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\f\\u0000\\u0000\\u0010\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002201cc6c8590580fa0c74892476f6f6e3d386840f8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\f\\u0000\\u0000\\u0010\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\f\\u0000\\u0000\\u0010\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":14},{"id":12826511,"ip":"50.116.17.136","ts":"2026-07-19 02:17:15.000000","proto":"tcp","src_port":53900,"dst_port":1723,"service":"pptp","classification":"opcua_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 6, \u0022payload_entropy\u0022: 2.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022confidence\u0022: 0.47, \u0022classification_confidence\u0022: 0.47, \u0022precision_score\u0022: 56, \u0022precision_signals\u0022: [\u0022pat-0626\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0626\u0022], \u0022matched_patterns\u0022: [\u0022pat-0626\u0022], \u0022matched_pattern_names\u0022: [\u0022OPC UA HEL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0626\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 47.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fb323af48498fcb3974ce6b1881c8797\u0022, \u0022path_pattern_hash\u0022: \u00229665a326f7d8f70f1661dab78807b951\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022HELP\\r\\n\u0022, \u0022request_sample\u0022: \u0022HELP\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HELP\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022HELP\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022HELP\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f23e44bd3d9712955f58fa46960f048c836390d1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HELP\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022HELP\u0022, \u0022attack_vector\u0022: \u0022opcua probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 47, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0626\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0626\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HELP\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022opcua probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022HELP\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 47 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":6},{"id":12826512,"ip":"50.116.17.136","ts":"2026-07-19 02:17:15.000000","proto":"tcp","src_port":53914,"dst_port":1723,"service":"pptp","classification":"port_1723_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 88, \u0022payload_entropy\u0022: 4.71356415999113, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 41, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022649f5bc17e8f924044d127d497957e9af62e3e9e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_1723_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 41}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002280ab07029d5f302cd55bfd003a3a37f1\u0022, \u0022path_pattern_hash\u0022: \u0022217ebc4803b83a5ee0956277bd93a3ec\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 41}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0000\\u0000S\\u0001\\u0000\\u0000O\\u0003\\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd\u003C=\ufffdo\ufffd\\u0010n\\u0000\\u0000(\\u0000\\u0016\\u0000\\u0013\\u0000\\n\\u0000f\\u0000\\u0005\\u0000\\u0004\\u0000e\\u0000d\\u0000c\\u0000b\\u0000a\\u0000`\\u0000\\u0015\\u0000\\u0012\\u0000\\t\\u0000\\u0014\\u0000\\u0011\\u0000\\b\\u0000\\u0006\\u0000\\u0003\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0000\\u0000S\\u0001\\u0000\\u0000O\\u0003\\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd\u003C=\ufffdo\ufffd\\u0010n\\u0000\\u0000(\\u0000\\u0016\\u0000\\u0013\\u0000\\n\\u0000f\\u0000\\u0005\\u0000\\u0004\\u0000e\\u0000d\\u0000c\\u0000b\\u0000a\\u0000`\\u0000\\u0015\\u0000\\u0012\\u0000\\t\\u0000\\u0014\\u0000\\u0011\\u0000\\b\\u0000\\u0006\\u0000\\u0003\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0000\\u0000S\\u0001\\u0000\\u0000O\\u0003\\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd\u003C=\ufffdo\ufffd\\u0010n\\u0000\\u0000(\\u0000\\u0016\\u0000\\u0013\\u0000\\n\\u0000f\\u0000\\u0005\\u0000\\u0004\\u0000e\\u0000d\\u0000c\\u0000b\\u0000a\\u0000`\\u0000\\u0015\\u0000\\u0012\\u0000\\t\\u0000\\u0014\\u0000\\u0011\\u0000\\b\\u0000\\u0006\\u0000\\u0003\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0000\\u0000S\\u0001\\u0000\\u0000O\\u0003\\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd\u003C=\ufffdo\ufffd\\u0010n\\u0000\\u0000(\\u0000\\u0016\\u0000\\u0013\\u0000\\n\\u0000f\\u0000\\u0005\\u0000\\u0004\\u0000e\\u0000d\\u0000c\\u0000b\\u0000a\\u0000`\\u0000\\u0015\\u0000\\u0012\\u0000\\t\\u0000\\u0014\\u0000\\u0011\\u0000\\b\\u0000\\u0006\\u0000\\u0003\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0000\\u0000S\\u0001\\u0000\\u0000O\\u0003\\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd\u003C=\ufffdo\ufffd\\u0010n\\u0000\\u0000(\\u0000\\u0016\\u0000\\u0013\\u0000\\n\\u0000f\\u0000\\u0005\\u0000\\u0004\\u0000e\\u0000d\\u0000c\\u0000b\\u0000a\\u0000`\\u0000\\u0015\\u0000\\u0012\\u0000\\t\\u0000\\u0014\\u0000\\u0011\\u0000\\b\\u0000\\u0006\\u0000\\u0003\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_1723_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225c12345af785465dc521fb6ba9441ed16790b2e0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0000\\u0000S\\u0001\\u0000\\u0000O\\u0003\\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd\u003C=\ufffdo\ufffd\\u0010n\\u0000\\u0000(\\u0000\\u0016\\u0000\\u0013\\u0000\\n\\u0000f\\u0000\\u0005\\u0000\\u0004\\u0000e\\u0000d\\u0000c\\u0000b\\u0000a\\u0000`\\u0000\\u0015\\u0000\\u0012\\u0000\\t\\u0000\\u0014\\u0000\\u0011\\u0000\\b\\u0000\\u0006\\u0000\\u0003\\u0001\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022SO?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd\u003C=\ufffdo\ufffdn(\\nfedcba`\u0022, \u0022attack_vector\u0022: \u0022port 1723 tcp \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_1723_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_1723_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 41\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 41}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 41, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0000\\u0000S\\u0001\\u0000\\u0000O\\u0003\\u0000?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\\u0000\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd\u003C=\ufffdo\ufffd\\u0010n\\u0000\\u0000(\\u0000\\u0016\\u0000\\u0013\\u0000\\n\\u0000f\\u0000\\u0005\\u0000\\u0004\\u0000e\\u0000d\\u0000c\\u0000b\\u0000a\\u0000`\\u0000\\u0015\\u0000\\u0012\\u0000\\t\\u0000\\u0014\\u0000\\u0011\\u0000\\b\\u0000\\u0006\\u0000\\u0003\\u0001\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022port 1723 tcp \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SO?G\ufffd\ufffd\ufffd,\ufffd\ufffd`~\ufffd\ufffd\ufffd{\ufffd\u0556\ufffdw\ufffd\ufffd\ufffd\ufffd\u003C=\ufffdo\ufffdn(\\nfedcba`\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":88},{"id":12826513,"ip":"50.116.17.136","ts":"2026-07-19 02:17:15.000000","proto":"tcp","src_port":53920,"dst_port":1723,"service":"pptp","classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 42, \u0022payload_entropy\u0022: 3.9511430177077895, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022daf7ed9941f61ac36c18c46b936b1ada\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000*%\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=beio\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000*%\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=beio\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000*%\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=beio\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000*%\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=beio\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000*%\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=beio\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220058edce6a013ec26b0cbc4999d89e21bdab1087\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000*%\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=beio\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022*%\ufffdCookie: mstshash=beio\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via PPTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000*%\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=beio\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022*%\ufffdCookie: mstshash=beio\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":42},{"id":12826507,"ip":"50.116.17.136","ts":"2026-07-19 02:17:14.000000","proto":"tcp","src_port":53866,"dst_port":1723,"service":"pptp","classification":"rtsp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 22, \u0022payload_entropy\u0022: 3.73215889136457, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0382\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0382\u0022], \u0022matched_patterns\u0022: [\u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022RTSP protocol\u0022, \u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0382\u0022, \u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b9373ea592d67ff8b93af91f8352abc2\u0022, \u0022path_pattern_hash\u0022: \u0022b1dd2a100b4c2489a836875293183168\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022OPTIONS \/ RTSP\/1.0\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS \/ RTSP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS \/ RTSP\/1.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS \/ RTSP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS \/ RTSP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022516c2c8e10ed488bf486ea59de0af1f0e1494596\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS \/ RTSP\/1.0\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS \/ RTSP\/1.0\u0022, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0382\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0382\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS \/ RTSP\/1.0\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022rtsp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS \/ RTSP\/1.0\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":22},{"id":12826508,"ip":"50.116.17.136","ts":"2026-07-19 02:17:14.000000","proto":"tcp","src_port":53878,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.9235205817738175, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f1f4632703c1a96aad1351c585bc8517e8bd4edb\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0532\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222a177602bee0d039f41fbd6da5240e04\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022391821c96d13df929b07e1e7f90c453d0387f145\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(r\ufffd\ufffd\ufffd\ufffd|\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0532\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0532\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(r\ufffd\\u001d\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001\ufffd|\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(r\ufffd\ufffd\ufffd\ufffd|\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":44},{"id":12826509,"ip":"50.116.17.136","ts":"2026-07-19 02:17:14.000000","proto":"tcp","src_port":53884,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 32, \u0022payload_entropy\u0022: 3.309196364505181, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f373b5f5cafd9af5e2c2fd8ac069ea6c\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0000\\u001e\\u0000\\u0006\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u001e\\u0000\\u0006\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u001e\\u0000\\u0006\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u001e\\u0000\\u0006\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u001e\\u0000\\u0006\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022deebd6e877a633877f7580ace4374ca19ce8698b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u001e\\u0000\\u0006\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022versionbind\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u001e\\u0000\\u0006\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0007version\\u0004bind\\u0000\\u0000\\u0010\\u0000\\u0003\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022versionbind\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":32},{"id":12826502,"ip":"50.116.17.136","ts":"2026-07-19 02:17:13.000000","proto":"tcp","src_port":53818,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 156, \u0022payload_entropy\u0022: 1.0105311893353954, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ab337a89f397026542899f981012b540\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000beio\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000beio\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000beio\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c224dd30061cb3275a8b08851c872f84ca186324\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000beio\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd+\u003CM\ufffd\ufffdnonebeio\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000beio\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd+\u003CM\ufffd\ufffdnonebeio\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":156},{"id":12826503,"ip":"50.116.17.136","ts":"2026-07-19 02:17:13.000000","proto":"tcp","src_port":53832,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022dba5166ad9db9ba648c1032ebbd34dcd\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 24}, \u0022payload_preview\u0022: \u0022\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022\\r\\n\\r\\n\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\r\\n\\r\\n\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225a66543c5dd2f331a99e191025a0955bf86398fc\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":4},{"id":12826504,"ip":"50.116.17.136","ts":"2026-07-19 02:17:13.000000","proto":"tcp","src_port":53848,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 18, \u0022payload_entropy\u0022: 3.461320140211008, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f90077b897efd13cca4affb87403fc752248aad8\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ec63b40bcbc26b71deda762dfd844f0\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 24}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b172d94267c4f0f41a74b07cfb2cd93d403dd2e4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":18},{"id":12826506,"ip":"50.116.17.136","ts":"2026-07-19 02:17:13.000000","proto":"tcp","src_port":53856,"dst_port":1723,"service":"pptp","classification":"web_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 22, \u0022payload_entropy\u0022: 3.697845823084412, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 41, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227f571a2fce7c469bfc57d5e48b3a69201915b70e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0420\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0420\u0022], \u0022matched_patterns\u0022: [\u0022pat-0420\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP OPTIONS method\u0022], \u0022pattern_ids\u0022: [\u0022pat-0420\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 41}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002276336738f875e41be8e6c44e3126e069\u0022, \u0022path_pattern_hash\u0022: \u00224154520a4208b3f021f35a6cc1dd98ae\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 41}, \u0022payload_preview\u0022: \u0022OPTIONS \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022OPTIONS \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS \/ HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS \/ HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b4c15d7c3efe1f1f5be314c64111dd205381f22f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS \/ HTTP\/1.0\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS \/ HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 41\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 41}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 41, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0420\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0420\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS \/ HTTP\/1.0\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS \/ HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":22},{"id":12826500,"ip":"50.116.17.136","ts":"2026-07-19 02:17:11.000000","proto":"tcp","src_port":53814,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002202c05162e61f911c7d449e085b8c9a1c89a8ae94\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221af557648a68e7ed7e96c7a9da337d84d37421e3\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022]","anomalies":"[]","severity":5,"bytes_in":0},{"id":12530628,"ip":"50.116.17.136","ts":"2026-07-16 16:04:50.000000","proto":"tcp","src_port":36120,"dst_port":3392,"service":null,"classification":"port_3392_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881182, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3392, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c596b85f5f489f95af8e479566eafdc5a3d33ebd\u0022, \u0022event_fingerprint\u0022: \u00223fa4e46f8020d4b499a527a095a872b3b29d0cf5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3392_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022070be4642e6db6eccccc3527d55ded29\u0022, \u0022path_pattern_hash\u0022: \u002254196e54ac52a42d37d22adad3d07fa1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3392, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3392_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f0bcd3a247e979d3b4de76f0d2fbe26cf7891ba0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3392}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3392 tcp \u00b7 port 3392 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223392\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3392_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3392_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3392, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3392}, \u0022attack_vector\u0022: \u0022port 3392 tcp \u00b7 port 3392 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223392\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223392\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12530629,"ip":"50.116.17.136","ts":"2026-07-16 16:04:50.000000","proto":"tcp","src_port":36128,"dst_port":3392,"service":null,"classification":"port_3392_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.716047706294417, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3392, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c596b85f5f489f95af8e479566eafdc5a3d33ebd\u0022, \u0022event_fingerprint\u0022: \u00223fa4e46f8020d4b499a527a095a872b3b29d0cf5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3392_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002261c292c5cfbb0e792ee40ace240e20e2\u0022, \u0022path_pattern_hash\u0022: \u002254196e54ac52a42d37d22adad3d07fa1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3392, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3392_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224756c8ef8174418e1121fcbc57f3a96f86570f4b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3392}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3392 tcp \u00b7 port 3392 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223392\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3392_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3392_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3392, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3392}, \u0022attack_vector\u0022: \u0022port 3392 tcp \u00b7 port 3392 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223392\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223392\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12530626,"ip":"50.116.17.136","ts":"2026-07-16 16:04:49.000000","proto":"tcp","src_port":36118,"dst_port":3392,"service":null,"classification":"port_3392_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.983740670882855, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3392, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c596b85f5f489f95af8e479566eafdc5a3d33ebd\u0022, \u0022event_fingerprint\u0022: \u00223fa4e46f8020d4b499a527a095a872b3b29d0cf5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3392_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227f100771350354534406eb0380a31d58\u0022, \u0022path_pattern_hash\u0022: \u002254196e54ac52a42d37d22adad3d07fa1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3392, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3392_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022863c6847c439911ccc654fb760235a8a36b3255c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3392}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3392 tcp \u00b7 port 3392 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223392\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3392_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3392_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3392, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3392}, \u0022attack_vector\u0022: \u0022port 3392 tcp \u00b7 port 3392 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223392\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223392\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12248202,"ip":"50.116.17.136","ts":"2026-07-15 20:45:08.000000","proto":"tcp","src_port":52892,"dst_port":3354,"service":null,"classification":"port_3354_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.983740670882855, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3354, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002201254320b2bbe599bb71cf65f783aa061cc3e50e\u0022, \u0022event_fingerprint\u0022: \u00222037531ed55d61c4a5b4bd6322f815033ca39c7b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3354_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227f100771350354534406eb0380a31d58\u0022, \u0022path_pattern_hash\u0022: \u0022fdba8e14bbc2bece1863b7935f59720c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3354, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3354_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022acc99e72fd1d08af719ab218bc720e197756b4a6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3354}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3354 tcp \u00b7 port 3354 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223354\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3354_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3354_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3354, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0002\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3354}, \u0022attack_vector\u0022: \u0022port 3354 tcp \u00b7 port 3354 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223354\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223354\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12248203,"ip":"50.116.17.136","ts":"2026-07-15 20:45:08.000000","proto":"tcp","src_port":52906,"dst_port":3354,"service":null,"classification":"port_3354_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881182, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3354, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002201254320b2bbe599bb71cf65f783aa061cc3e50e\u0022, \u0022event_fingerprint\u0022: \u00222037531ed55d61c4a5b4bd6322f815033ca39c7b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3354_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022070be4642e6db6eccccc3527d55ded29\u0022, \u0022path_pattern_hash\u0022: \u0022fdba8e14bbc2bece1863b7935f59720c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3354, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3354_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002232800c09dbed38f858d8e21b73fa0ee1bde2e184\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3354}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3354 tcp \u00b7 port 3354 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223354\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3354_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3354_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3354, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3354}, \u0022attack_vector\u0022: \u0022port 3354 tcp \u00b7 port 3354 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223354\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223354\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":12248204,"ip":"50.116.17.136","ts":"2026-07-15 20:45:08.000000","proto":"tcp","src_port":52920,"dst_port":3354,"service":null,"classification":"port_3354_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.716047706294417, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 63949, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3354, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002201254320b2bbe599bb71cf65f783aa061cc3e50e\u0022, \u0022event_fingerprint\u0022: \u00222037531ed55d61c4a5b4bd6322f815033ca39c7b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3354_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 63949, \u0022org\u0022: \u0022Akamai Connected Cloud\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002261c292c5cfbb0e792ee40ace240e20e2\u0022, \u0022path_pattern_hash\u0022: \u0022fdba8e14bbc2bece1863b7935f59720c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3354, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_3354_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227c761ba88aaffde148ebf17a6511134a0f9295ba\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3354}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 3354 tcp \u00b7 port 3354 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223354\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_3354_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_3354_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3354, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 3354}, \u0022attack_vector\u0022: \u0022port 3354 tcp \u00b7 port 3354 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u00223354\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223354\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19}],"total_events":45}