Renseignement sur les menaces

Pays-Bas

51.136.107.220

FAI Microsoft Corporation Première vue 17/06/2026 21:02 UTC Dernière vue 18/06/2026 09:22 UTC Risque Moyen

Période analysée : 2026-05-19 → 2026-06-18

Activité suspecte · risque 35/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 40/100 Moyen

Première observation 17/06/2026 21:02 UTC

Dernière observation 18/06/2026 09:22 UTC

Événements (période) 3

MITRE ATT&CK principal TA0007 3 occurrences

Activité suspecte · risque 35/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « kubernetes_probe » (signaux protocolaires) · confiance 50%

Confiance 50 % — Score WAF 8

Comparaison ASN / FAI

ASN 8075 · 51.136.0.0/15 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 3 événements sur la période pour cette IP.

20.127.244.67 elite 18/06/2026 16:56 UTC
20.80.88.247 Scan vulnérabilités 18/06/2026 16:56 UTC
20.163.34.54 Sonde port 18/06/2026 16:47 UTC
20.84.152.142 Sonde port 18/06/2026 16:36 UTC
20.169.105.96 Scan vulnérabilités 18/06/2026 16:27 UTC
13.89.125.20 Sonde port 21/TCP 18/06/2026 16:27 UTC
20.169.105.52 Sonde port 18/06/2026 16:16 UTC
40.124.117.126 Sonde PostgreSQL 18/06/2026 16:00 UTC

Événements (filtres)

Première observation

17/06/2026 21:02 UTC

Dernière observation

18/06/2026 09:22 UTC

Dernière activité (filtres)

18/06/2026 09:22 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

MINIKUBE NODEPORT TCP 2 HTTP TCP 1

MINIKUBE NODEPORT

HTTP

Géolocalisation

Origine réseau déclarée

Pays-Bas unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Microsoft Corporation 0 Port 30000 kubernetes_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

kubernetes probe · via MINIKUBE NODEPORT:30000 · (sonde / probe)

Détails protocole

Aperçu payload

Port / service

30000 · MINIKUBE NODEPORT

Service émulé

MINIKUBE-NODEPORT

Raison confiance

Confiance 50 % — Motif catalogue confirmé

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0554

Confiance

50% Confiance modérée — signal unique

Famille de menace

cloud_infra_scan

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

3 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

3 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
18/06/2026 09:22:03 UTC	TCP	30000 · MINIKUBE NODEPORT	minikube-nodeport	Sonde Kubernetes API kubernetes probe · via MINIKUBE NODEPORT:30000 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur MINIKUBE-NODEPORT WAF — Recommandation Surveiller Tags minikube_nodeport_emulated minikube_nodeport_payload net_kubernetes_probe socks5_greeting Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 30000 Chemin / cible — Service MINIKUBE NODEPORT Payload Pourquoi cette classification : Type « kubernetes_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 3, "payload_entropy": 1.584962500721156, "port_category": "registered", "org": "Microsoft Corporation", "service": "minikube-nodeport", "app_proto": "minikube-nodeport", "asn": 8075, "country": "NL", "dst_port": 30000, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "194ea49cf151f53851d70731900c602c27522b0c", "event_fingerprint": "f1cce9d1ec2c20f03a9869cf6a12cb41de3a3b92", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 35 }, "service_name": "minikube-nodeport", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NL", "asn": 8075, "org": "Microsoft Corporation", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "da075e9d699084fc189cdd233081c49f", "path_pattern_hash": "9911336c7fd1406c8e284bedc6c69f4b" }, "target_context": { "dst_port": 30000, "service": "minikube-nodeport", "service_name": "minikube-nodeport", "risk_score": 35 }, "payload_preview": "\u0005\u0001\u0000", "request_sample": "\u0005\u0001\u0000", "payload_snippet": "\u0005\u0001\u0000", "evidence": { "request_sample": "\u0005\u0001\u0000", "payload_snippet": "\u0005\u0001\u0000", "classification_reason": "Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "39a0bc80b1074783695026743a42aa34d2010cfc", "protocol_details": { "payload_preview": "\u0005\u0001\u0000", "port": 30000, "service": "minikube-nodeport", "service_label_fr": "MINIKUBE NODEPORT" }, "attack_vector": "kubernetes probe \u00b7 via MINIKUBE NODEPORT:30000 \u00b7 (sonde \/ probe)", "target_port_label": "30000 \u00b7 MINIKUBE NODEPORT", "emulator_service": "minikube-nodeport", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "minikube-nodeport", "service_label_fr": "MINIKUBE NODEPORT", "dst_port": 30000, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-minikube-nodeport", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0005\u0001\u0000", "port": 30000, "service": "minikube-nodeport", "service_label_fr": "MINIKUBE NODEPORT" }, "attack_vector": "kubernetes probe \u00b7 via MINIKUBE NODEPORT:30000 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "30000 \u00b7 MINIKUBE NODEPORT", "emulator_service": "minikube-nodeport", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "minikube_nodeport", "service_banner": "honeypot-minikube-nodeport", "service_os": "linux", "dst_port": "30000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "minikube_nodeport_emulated", "minikube_nodeport_payload", "net_kubernetes_probe", "socks5_greeting" ] }
18/06/2026 04:00:32 UTC	TCP	30000 · MINIKUBE NODEPORT	minikube-nodeport	Sonde Kubernetes API kubernetes probe · via MINIKUBE NODEPORT:30000 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur MINIKUBE-NODEPORT WAF — Recommandation Surveiller Tags minikube_nodeport_emulated minikube_nodeport_payload net_kubernetes_probe socks4_greeting Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 30000 Chemin / cible — Service MINIKUBE NODEPORT Payload ��:�# Pourquoi cette classification : Type « kubernetes_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 24 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��:�# Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 9, "payload_entropy": 2.94770277922009, "port_category": "registered", "org": "Microsoft Corporation", "service": "minikube-nodeport", "app_proto": "minikube-nodeport", "asn": 8075, "country": "NL", "dst_port": 30000, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 24, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2a9fb44e89dea6190b3089ff3f53c3e922bff7a4", "event_fingerprint": "f1cce9d1ec2c20f03a9869cf6a12cb41de3a3b92", "classification_reason": "Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 24 }, "named_classification_skipped": false, "service_name": "minikube-nodeport", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NL", "asn": 8075, "org": "Microsoft Corporation", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8a3dcc79164df954ac1c71551d87209d", "path_pattern_hash": "9911336c7fd1406c8e284bedc6c69f4b" }, "target_context": { "dst_port": 30000, "service": "minikube-nodeport", "service_name": "minikube-nodeport", "risk_score": 24 }, "payload_preview": "\u0004\u0001\u0001\ufffd\ufffd:\ufffd#\u0000", "request_sample": "\u0004\u0001\u0001\ufffd\ufffd:\ufffd#\u0000", "payload_snippet": "\u0004\u0001\u0001\ufffd\ufffd:\ufffd#\u0000", "evidence": { "request_sample": "\u0004\u0001\u0001\ufffd\ufffd:\ufffd#\u0000", "payload_snippet": "\u0004\u0001\u0001\ufffd\ufffd:\ufffd#\u0000", "classification_reason": "Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf8bb7b1f8b53f3b98e3fb57ecfc95c47f407011", "protocol_details": { "payload_preview": "\u0004\u0001\u0001\ufffd\ufffd:\ufffd#\u0000", "port": 30000, "service": "minikube-nodeport", "service_label_fr": "MINIKUBE NODEPORT" }, "evidence_snippet": "\ufffd\ufffd:\ufffd#", "attack_vector": "kubernetes probe \u00b7 via MINIKUBE NODEPORT:30000 \u00b7 (sonde \/ probe)", "target_port_label": "30000 \u00b7 MINIKUBE NODEPORT", "emulator_service": "minikube-nodeport", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 24 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "minikube-nodeport", "service_label_fr": "MINIKUBE NODEPORT", "dst_port": 30000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-minikube-nodeport", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "\u0004\u0001\u0001\ufffd\ufffd:\ufffd#\u0000", "port": 30000, "service": "minikube-nodeport", "service_label_fr": "MINIKUBE NODEPORT" }, "attack_vector": "kubernetes probe \u00b7 via MINIKUBE NODEPORT:30000 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd:\ufffd#", "target_port_label": "30000 \u00b7 MINIKUBE NODEPORT", "emulator_service": "minikube-nodeport", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "minikube_nodeport", "service_banner": "honeypot-minikube-nodeport", "service_os": "linux", "dst_port": "30000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "minikube_nodeport_emulated", "minikube_nodeport_payload", "net_kubernetes_probe", "socks4_greeting" ] }
17/06/2026 21:02:57 UTC	TCP	30000 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:30000 · (sonde / probe) · → www.google.com.tr:443	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole CONNECT www.google.com.tr:443 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_dangerous_method http_method_uncommon http_missing_host http_no_ua Cible HTTP CONNECT www.google.com.tr:443 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode CONNECT Port 30000 Chemin / cible www.google.com.tr:443 Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 80% Confiance classification 80% Risque capteur Moyen · 40 Confiance : Confiance 80 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `CONNECT www.google.com.tr:443 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) CONNECT www.google.com.tr:443 HTTP/1.1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 0, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "9d97f41fb45bb65e3ef00e093e541d3ecad443a7", "http_referer_hash": null, "http_method": "CONNECT", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 42, "payload_entropy": 4.4812540297670855, "port_category": "registered", "org": "Microsoft Corporation", "service": "http", "app_proto": "http", "asn": 8075, "country": "NL", "dst_port": 30000, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 10 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "bb7a1f8e5982ed7a786e04de8def1a3fb2703845", "event_fingerprint": "b0543d128e4352b9a6b74dac0ce2b7d5cc20bebc", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NL", "asn": 8075, "org": "Microsoft Corporation", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "771b1d51f48a9a87307b343428856cd1", "path_pattern_hash": "4dcae57b8d83d496cc63a975b0132f2f" }, "service_name": "http", "target_context": { "dst_port": 30000, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "CONNECT www.google.com.tr:443 HTTP\/1.1\r\n\r\n", "method": "CONNECT", "path": "www.google.com.tr:443", "request_line": "CONNECT www.google.com.tr:443 HTTP\/1.1", "request_sample": "CONNECT www.google.com.tr:443 HTTP\/1.1\r\n\r\n", "payload_snippet": "CONNECT www.google.com.tr:443 HTTP\/1.1", "evidence": { "method": "CONNECT", "path": "www.google.com.tr:443", "request_line": "CONNECT www.google.com.tr:443 HTTP\/1.1", "request_sample": "CONNECT www.google.com.tr:443 HTTP\/1.1\r\n\r\n", "payload_snippet": "CONNECT www.google.com.tr:443 HTTP\/1.1", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 80%" }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 80%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 10, "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.8, "classification_confidence": 0.8, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "143b464a9a1189e402e29d5c5ab5218c1b1eba66", "protocol_details": { "http_method": "CONNECT", "http_path": "www.google.com.tr:443", "request_line": "CONNECT www.google.com.tr:443 HTTP\/1.1", "port": 30000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "CONNECT www.google.com.tr:443 HTTP\/1.1", "attack_vector": "Sonde HTTP \u00b7 via HTTP:30000 \u00b7 (sonde \/ probe) \u00b7 \u2192 www.google.com.tr:443", "target_port_label": "30000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 80 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 80%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 80%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 80, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 10, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 30000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "CONNECT", "http_path": "www.google.com.tr:443", "request_line": "CONNECT www.google.com.tr:443 HTTP\/1.1", "port": 30000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:30000 \u00b7 (sonde \/ probe) \u00b7 \u2192 www.google.com.tr:443", "evidence_snippet": "CONNECT www.google.com.tr:443 HTTP\/1.1", "target_port_label": "30000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 80 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 80 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "30000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_dangerous_method", "http_method_uncommon", "http_missing_host", "http_no_ua", "net_web_probe" ] }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

51.136.107.220

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

51.136.107.220

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence