{"ip":"58.51.241.4","exported_at":"2026-06-20T09:04:18+00:00","period_days":30,"metrics":{"events7d":6,"distinct_ports":3,"distinct_classifications":2,"max_severity":8,"last_sensor_id":"paris-1","max_waf_score":16,"max_risk_score":100,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":0.5,"risk_breakdown":{"waf":60,"classification":42,"behavior":0,"geo":0,"protocol":25,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0001","top_mitre_count":3,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 42\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":60,"classification":42,"behavior":0,"geo":0,"protocol":25,"novelty":15,"risk_score":42},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":50,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["Requ\u00eate favicon.ico","Single Port","Chemin b\u00e9nin connu"],"tags_summary":["INT-benign-favicon","INT-single-port","INT-benign-path-cap"],"attack_vector":"Sonde HTTP \u00b7 via HTTP:5050 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico","protocol_details":{"http_method":"GET","http_path":"\/favicon.ico","request_line":"GET \/favicon.ico HTTP\/1.1","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026","port":5050,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/favicon.ico \u00b7 UA Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple\u2026 \u00b7 HTTP:5050","evidence_snippet":"GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5050\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM","target_port_label":"5050 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF","classification_reason":"Sonde HTTP (tag rce-0) \u00b7 confiance 50%","classification_reason_label_fr":"Sonde HTTP (tag rce-0) \u00b7 confiance 50%","confidence_factors_fr":"Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF","payload_preview":"GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:5050\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM"},"events":[{"id":9668793,"ip":"58.51.241.4","ts":"2026-06-19 17:23:41.000000","proto":"tcp","src_port":41558,"dst_port":5050,"service":"http","classification":"web_probe","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022794d54186261fe2bc2736ed06e3d0e320c015c5f\u0022, \u0022http_host_hash\u0022: \u002293cff2cb32142a67ac2a16e86c195a93c816d7e1\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 233, \u0022payload_entropy\u0022: 5.322697892309027, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 5050, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002252079a1981846897a8433a4327cd7ee4d306a2dd\u0022, \u0022event_fingerprint\u0022: \u002242132d06babee669bf3086c1a52d786afc4f79ac\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag rce-0) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.5, \u0022classification_confidence\u0022: 0.5, \u0022precision_score\u0022: 94, \u0022precision_signals\u0022: [\u0022INT-benign-favicon\u0022, \u0022INT-single-port\u0022, \u0022INT-benign-path-cap\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-benign-favicon\u0022, \u0022INT-single-port\u0022, \u0022INT-benign-path-cap\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 4134, \u0022org\u0022: \u0022Chinanet\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223f39f875a501422aded24cccae49cc9b\u0022, \u0022payload_hash\u0022: \u00227d562343449728d9c89b75af1a39085d\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5050, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag rce-0) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224b5251983a71b3cb23ab79f87d2bafd5ec65f3ca\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026\u0022, \u0022port\u0022: 5050, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:5050 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico\u0022, \u0022target_port_label\u0022: \u00225050 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag rce-0) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag rce-0) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5050, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-benign-favicon\u0022, \u0022INT-single-port\u0022, \u0022INT-benign-path-cap\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Requ\u00eate favicon.ico\u0022, \u0022Single Port\u0022, \u0022Chemin b\u00e9nin connu\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026\u0022, \u0022port\u0022: 5050, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:5050 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022target_port_label\u0022: \u00225050 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:5050","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":7,"bytes_in":233},{"id":9668789,"ip":"58.51.241.4","ts":"2026-06-19 17:23:37.000000","proto":"tcp","src_port":41556,"dst_port":5050,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022794d54186261fe2bc2736ed06e3d0e320c015c5f\u0022, \u0022http_host_hash\u0022: \u002293cff2cb32142a67ac2a16e86c195a93c816d7e1\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 222, \u0022payload_entropy\u0022: 5.318952511933112, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 5050, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022425d6dd180461bff7fc4df85d2e1d9f71416a266\u0022, \u0022event_fingerprint\u0022: \u0022c3c4e321bf3097e1eed3ff62527804f1b2652e6c\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 4134, \u0022org\u0022: \u0022Chinanet\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223f39f875a501422aded24cccae49cc9b\u0022, \u0022payload_hash\u0022: \u0022282a4426cd06a7fac92e018e98332d68\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5050, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221295d456c65a2453c693cf2d7ecedd7e22a24472\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026\u0022, \u0022port\u0022: 5050, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:5050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225050 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5050, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026\u0022, \u0022port\u0022: 5050, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:5050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5050\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022target_port_label\u0022: \u00225050 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:5050","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":222},{"id":9653536,"ip":"58.51.241.4","ts":"2026-06-19 12:11:56.000000","proto":"tcp","src_port":48212,"dst_port":8080,"service":"http","classification":"web_probe","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600\u0022, \u0022emulator_response_len\u0022: 130, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022794d54186261fe2bc2736ed06e3d0e320c015c5f\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 233, \u0022payload_entropy\u0022: 5.34634499533189, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002257f088a40ee12788bdcf96d0d3ffc1707c32a99e\u0022, \u0022event_fingerprint\u0022: \u0022f0c7540ae94dd06ee97286c4e47f9e7d5346b40e\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag rce-0) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.5, \u0022classification_confidence\u0022: 0.5, \u0022precision_score\u0022: 94, \u0022precision_signals\u0022: [\u0022INT-benign-favicon\u0022, \u0022INT-single-port\u0022, \u0022INT-benign-path-cap\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-benign-favicon\u0022, \u0022INT-single-port\u0022, \u0022INT-benign-path-cap\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 4134, \u0022org\u0022: \u0022Chinanet\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223f39f875a501422aded24cccae49cc9b\u0022, \u0022payload_hash\u0022: \u0022ed53009e0b755f8d7d2c8f8713ca5ce9\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag rce-0) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002221d4c8e0ad17aa403347995f843cd98fc9c77da3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag rce-0) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag rce-0) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-benign-favicon\u0022, \u0022INT-single-port\u0022, \u0022INT-benign-path-cap\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Requ\u00eate favicon.ico\u0022, \u0022Single Port\u0022, \u0022Chemin b\u00e9nin connu\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":233},{"id":9653535,"ip":"58.51.241.4","ts":"2026-06-19 12:11:55.000000","proto":"tcp","src_port":48210,"dst_port":8080,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022794d54186261fe2bc2736ed06e3d0e320c015c5f\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 222, \u0022payload_entropy\u0022: 5.343771318258909, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022075e5345953235ea967a2535172cf98d1d3d388a\u0022, \u0022event_fingerprint\u0022: \u0022c4a5ea58b3d2b0d9f787b32d70530d766cc70177\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 4134, \u0022org\u0022: \u0022Chinanet\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223f39f875a501422aded24cccae49cc9b\u0022, \u0022payload_hash\u0022: \u00221199c632970d879873631169df85fdf8\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222bfdcdeaf8071c3fafcf977b568e33bea272deab\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:8080 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":222},{"id":9650666,"ip":"58.51.241.4","ts":"2026-06-19 11:09:34.000000","proto":"tcp","src_port":51886,"dst_port":5357,"service":"http","classification":"web_probe","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022794d54186261fe2bc2736ed06e3d0e320c015c5f\u0022, \u0022http_host_hash\u0022: \u0022e42510f4f5c75f2667a51c32bc000c1378cd772e\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 233, \u0022payload_entropy\u0022: 5.334272424549457, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 5357, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022157bf7a9f9941777ce965c1ae5596ada959c7c89\u0022, \u0022event_fingerprint\u0022: \u00224303c701a374ba64696c59dadb230afaadaae107\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag rce-0) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.5, \u0022classification_confidence\u0022: 0.5, \u0022precision_score\u0022: 94, \u0022precision_signals\u0022: [\u0022INT-benign-favicon\u0022, \u0022INT-single-port\u0022, \u0022INT-benign-path-cap\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-benign-favicon\u0022, \u0022INT-single-port\u0022, \u0022INT-benign-path-cap\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 4134, \u0022org\u0022: \u0022Chinanet\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223f39f875a501422aded24cccae49cc9b\u0022, \u0022payload_hash\u0022: \u002260400184239aceba245c14ff19e0e680\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5357, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag rce-0) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022da6c7524ccf748e70c9a6b47f330aa675c81f5bf\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026\u0022, \u0022port\u0022: 5357, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:5357 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico\u0022, \u0022target_port_label\u0022: \u00225357 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag rce-0) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag rce-0) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 42\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5357, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-benign-favicon\u0022, \u0022INT-single-port\u0022, \u0022INT-benign-path-cap\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Requ\u00eate favicon.ico\u0022, \u0022Single Port\u0022, \u0022Chemin b\u00e9nin connu\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026\u0022, \u0022port\u0022: 5357, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:5357 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM\u0022, \u0022target_port_label\u0022: \u00225357 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225357\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:5357","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":7,"bytes_in":233},{"id":9650665,"ip":"58.51.241.4","ts":"2026-06-19 11:09:33.000000","proto":"tcp","src_port":50806,"dst_port":5357,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022794d54186261fe2bc2736ed06e3d0e320c015c5f\u0022, \u0022http_host_hash\u0022: \u0022e42510f4f5c75f2667a51c32bc000c1378cd772e\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 222, \u0022payload_entropy\u0022: 5.331100557032301, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022dst_port\u0022: 5357, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cdfa66e5e26bb767c36b5feea0d32911678bb369\u0022, \u0022event_fingerprint\u0022: \u0022f5bee6d858a1660e673d50db25fa04f5beabae7e\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CN\u0022, \u0022asn\u0022: 4134, \u0022org\u0022: \u0022Chinanet\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223f39f875a501422aded24cccae49cc9b\u0022, \u0022payload_hash\u0022: \u0022cd41be4789be2f7c10dd563cb2fe2010\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5357, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228dc633074d77869bbc7e5894a249de8537cfb7c7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026\u0022, \u0022port\u0022: 5357, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:5357 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225357 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5357, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122\u2026\u0022, \u0022port\u0022: 5357, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:5357 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5357\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec\u0022, \u0022target_port_label\u0022: \u00225357 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225357\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:5357","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 Edg\/122.0.0.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":222},{"id":7901872,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":1020,"dst_port":1042,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.3338655824310743, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00223d98ad92a3453c0581dcbc48e61e476066134d0a\u0022, \u0022event_fingerprint\u0022: \u0022866a64b53ac26227409ad31bb859a548b9e864f2\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901873,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":730,"dst_port":8010,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022d2c7f99303baba5f18a7e7d462e75f8fa1525277\u0022, \u0022event_fingerprint\u0022: \u0022c6a23f07378c4ee97d39b2a5849d91741ad7dd56\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901874,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":942,"dst_port":8007,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00222d710ed7194815699f1e8bbc5b0591ef0f843ad3\u0022, \u0022event_fingerprint\u0022: \u002277a4d35d24fbcfb629ff46e444dad244ad68f233\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901875,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":1005,"dst_port":636,"service":"ldaps","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022ldaps\u0022, \u0022app_proto\u0022: \u0022ldaps\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022ae7d77eddb2b3fd5df51a28978249261ce9e9f67\u0022, \u0022event_fingerprint\u0022: \u0022de61ed5002d1798a93b58321df7099c7c39fc28c\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901876,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":615,"dst_port":873,"service":"rsync","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022rsync\u0022, \u0022app_proto\u0022: \u0022rsync\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u002229e78ad1fb963440d4d88d66755f1eaf5c73ef1b\u0022, \u0022event_fingerprint\u0022: \u0022946b05c81089bfc0460f7ef64cf5c3f3734227ed\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901877,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":926,"dst_port":18789,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022e0b4f3d377b93788c3768f3e9207679d1c4ba414\u0022, \u0022event_fingerprint\u0022: \u0022eb8b23d3c318aed488e86631c3df443dd5cf3c99\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901878,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":569,"dst_port":3306,"service":"mysql","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022mysql\u0022, \u0022app_proto\u0022: \u0022mysql\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022b219f7e92b6aa73270bafd4b46e5b4820a9616fc\u0022, \u0022event_fingerprint\u0022: \u0022fc636b2a9fe65cd127101ef17af779a5183b0a0c\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901879,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":699,"dst_port":83,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.5852269382093664, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u002233d4dd2d76143bb176e2bb89e7f5f4007cb0d161\u0022, \u0022event_fingerprint\u0022: \u00228ad067be3718fc0b21b06295426eb620e0bb8a13\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901880,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":1022,"dst_port":79,"service":"finger","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022finger\u0022, \u0022app_proto\u0022: \u0022finger\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u002286df81cba0a09e4362c618c3850bf169f7bec3ea\u0022, \u0022event_fingerprint\u0022: \u00222cb4c5cde31fcf04fac63f286a6acab4996f4119\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901881,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":815,"dst_port":264,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022c1fcbba7f3c53963d84486f8efb42a7930c6eccf\u0022, \u0022event_fingerprint\u0022: \u0022ea04d8a306bea75fc34c7b57737eba531e744ef5\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901882,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":770,"dst_port":8085,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00222a0da477b92ac3c9b59971a8760f65a83e966922\u0022, \u0022event_fingerprint\u0022: \u0022238bf529dd94a01cd3117a5af6f9f2dd663f3ea5\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901883,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":832,"dst_port":2001,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022619e6e0197a881605a827442fd3cd80e17980b03\u0022, \u0022event_fingerprint\u0022: \u002247d0cf35a422716be6015a5f3b0bd9b0a47bf056\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901884,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":836,"dst_port":15000,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.5680704040692879, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022449812ca195fd8678ead743d70114dd0b7997f0b\u0022, \u0022event_fingerprint\u0022: \u00225a5929d9b141ceb03380e4392141ad8fa748c63a\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901885,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":760,"dst_port":497,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022c35035d3b3912ae318622d5cfd54c6f313f2ae83\u0022, \u0022event_fingerprint\u0022: \u00227ce4dc6ae78e278d61000124d9d77c5e39bf841f\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901886,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":625,"dst_port":514,"service":"shell","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022shell\u0022, \u0022app_proto\u0022: \u0022shell\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022e884fcae06e6995e7c35c7fca3d870688a5f0244\u0022, \u0022event_fingerprint\u0022: \u0022f30562cadfba6f72d08a08196a27291e5fb3a8a2\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901887,"ip":"58.51.241.4","ts":"2026-05-28 19:12:40.000000","proto":"tcp","src_port":660,"dst_port":179,"service":"bgp","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.4827557867620353, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022bgp\u0022, \u0022app_proto\u0022: \u0022bgp\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022be7473046838f7227bdea9a5e1e4d87b59a9f385\u0022, \u0022event_fingerprint\u0022: \u0022b127b3b01390edbed00e4451ac6b2dfa43cba16d\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901848,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":617,"dst_port":1433,"service":"mssql","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022f1cc46f78675a804fc00b9b2aeb1c872a403cbea\u0022, \u0022event_fingerprint\u0022: \u00228f570cf827dc5baaefbcb07a060f98107c5249e5\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901849,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":1010,"dst_port":111,"service":"rpcbind","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 2.0229153034496714, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022rpcbind\u0022, \u0022app_proto\u0022: \u0022rpcbind\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022c3e25cab9917244e5288b3322c2bce33c9505d78\u0022, \u0022event_fingerprint\u0022: \u00227890ff4d1c4cb9540f6f6ccebb3623a9e91cbbbd\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901850,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":596,"dst_port":18790,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022dd972e71fd612a89b9758976bd1c40f0c634fa03\u0022, \u0022event_fingerprint\u0022: \u0022380dd3fa6f0e9fca4d719cd302eb6bd6362031ee\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901851,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":777,"dst_port":9000,"service":"php-fpm","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022php-fpm\u0022, \u0022app_proto\u0022: \u0022php-fpm\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022a3d90370207bc706a938aa8bf21083cd9cfc5a8e\u0022, \u0022event_fingerprint\u0022: \u0022e649deb0e62772e0059693ecf660d3972ac91c61\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901852,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":914,"dst_port":631,"service":"ipp","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022ipp\u0022, \u0022app_proto\u0022: \u0022ipp\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022a6b893a059e0dab1e42f98bd2fe0439f905837d3\u0022, \u0022event_fingerprint\u0022: \u00221db8c698a59afcbaeed546654fa3c9999b779694\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901853,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":937,"dst_port":32768,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022113f828533ea891283ff97559d92532e1c8a09af\u0022, \u0022event_fingerprint\u0022: \u00223679f0e4451daaa72483bcded75f690ee39ecfa1\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901854,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":556,"dst_port":7070,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00220ab4d948b906368430a5ad6957295b5f8a924d52\u0022, \u0022event_fingerprint\u0022: \u0022011e338dd1e99f0a54c02829e67162563b77dbef\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901855,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":877,"dst_port":646,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00227381da32b7f87c5a49d6ab413d8f4d019f82b015\u0022, \u0022event_fingerprint\u0022: \u002206bf7bf56d85d1c646ad252da4ae416fbc2845d4\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901856,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":788,"dst_port":500,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022ad28de92ffcd0bc97e4d57779e4285a153f40768\u0022, \u0022event_fingerprint\u0022: \u0022e6afd75b5c979e55a3ff00741b77f6d77505858e\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901857,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":783,"dst_port":111,"service":"rpcbind","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 2.0683698489042173, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022rpcbind\u0022, \u0022app_proto\u0022: \u0022rpcbind\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022c3e25cab9917244e5288b3322c2bce33c9505d78\u0022, \u0022event_fingerprint\u0022: \u00227890ff4d1c4cb9540f6f6ccebb3623a9e91cbbbd\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901858,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":811,"dst_port":2809,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00225060d223e5d23d332a36c9ba1dfa5540306ad34b\u0022, \u0022event_fingerprint\u0022: \u0022fa5701c022f3e2841371f728a9434ed2aa2099ce\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901859,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":955,"dst_port":548,"service":"afp","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022afp\u0022, \u0022app_proto\u0022: \u0022afp\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00225a91336f6d5abcc370ba8788cc3af71564e7c584\u0022, \u0022event_fingerprint\u0022: \u002248f198e90269326e36107de80ad6deccecbf7a78\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901860,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":981,"dst_port":1863,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.5680704040692879, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00225dc3f968d3c5e2c3003adad23290561da02c3c78\u0022, \u0022event_fingerprint\u0022: \u0022fec0f53a7acd40ff1967561f87efb0ff875a6ad9\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901861,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":843,"dst_port":1000,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00223fb287859250a317eb8e77bc2d6db754ee24e61c\u0022, \u0022event_fingerprint\u0022: \u0022f1ba69a29febcbd066731bf8f59df0e6e65ac9b6\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901862,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":705,"dst_port":3690,"service":"svn","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022svn\u0022, \u0022app_proto\u0022: \u0022svn\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00228a37e6da1e54429811e30d5f1439606840fb493a\u0022, \u0022event_fingerprint\u0022: \u0022200308ddd8e20d33dd5aaa4ab6750d4f718869bc\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901863,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":872,"dst_port":111,"service":"rpcbind","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.9235205817738177, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022rpcbind\u0022, \u0022app_proto\u0022: \u0022rpcbind\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022c3e25cab9917244e5288b3322c2bce33c9505d78\u0022, \u0022event_fingerprint\u0022: \u00227890ff4d1c4cb9540f6f6ccebb3623a9e91cbbbd\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901864,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":720,"dst_port":119,"service":"nntp","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022nntp\u0022, \u0022app_proto\u0022: \u0022nntp\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00224211abf205b5bc0f69fd7f16b861718bc66ac168\u0022, \u0022event_fingerprint\u0022: \u00220c57cbc325d6f2ff44cd5fccc34736c8003b5aec\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901865,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":758,"dst_port":1025,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022d2ca6b8ef710eeeb052d6fa831f76cc21cf37af3\u0022, \u0022event_fingerprint\u0022: \u0022122d04c198608a42e131e2c864ac1f971d9b6afc\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901866,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":710,"dst_port":2702,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00223b53737312bcb586cf2aa1a4be087549f8d8db54\u0022, \u0022event_fingerprint\u0022: \u00229ddd95ce5cdc6e07d3f267532a360354df4fc03b\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901867,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":943,"dst_port":563,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022152d9640fbd4feb59e2bef98b9021376f83cb487\u0022, \u0022event_fingerprint\u0022: \u00226a858c8d2f50a1747a01da0d0bdcb0b550b87180\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901868,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":947,"dst_port":161,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.5852269382093667, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00225923da8de1552ef919062993da83254684eb598f\u0022, \u0022event_fingerprint\u0022: \u00226c23d818b11e879ab2dd40f3ffbe88b82c387402\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901869,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":609,"dst_port":10000,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022d5a8362e441ef2bdc4ed814d82068deec5a15d14\u0022, \u0022event_fingerprint\u0022: \u0022b09120582604bc305dfd23df6aa93667d39fd541\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901870,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":852,"dst_port":901,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00227b88fdc16c9d5f138975e3dc396bd54d9ee54175\u0022, \u0022event_fingerprint\u0022: \u002245b9b765879d477f9ebf7e13d94884dd4a6dff3f\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901871,"ip":"58.51.241.4","ts":"2026-05-28 19:12:39.000000","proto":"tcp","src_port":938,"dst_port":32771,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u002227320fb1a2b27ea717797e8e921905e0cd9be5ce\u0022, \u0022event_fingerprint\u0022: \u00226326d97a3c330de45255cc5847d74c9465b50a17\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901817,"ip":"58.51.241.4","ts":"2026-05-28 19:12:38.000000","proto":"tcp","src_port":530,"dst_port":4000,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00223d64339f9629063489c51193a7a966ee79889206\u0022, \u0022event_fingerprint\u0022: \u0022d139b78ff1e8a309e9b6e489a585db63a7695d19\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901818,"ip":"58.51.241.4","ts":"2026-05-28 19:12:38.000000","proto":"tcp","src_port":669,"dst_port":1110,"service":null,"classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.5852269382093664, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u00225c76e32f7765ac1a2574258f2f40803b981a4668\u0022, \u0022event_fingerprint\u0022: \u00227ea501a16ce00f6b78783679cf6704cd9d226f72\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901819,"ip":"58.51.241.4","ts":"2026-05-28 19:12:38.000000","proto":"tcp","src_port":875,"dst_port":6667,"service":"irc","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.630681483663912, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022irc\u0022, \u0022app_proto\u0022: \u0022irc\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022ce41bf340ee31056b500cd5dc5464cad895f69c5\u0022, \u0022event_fingerprint\u0022: \u00222c27151e00e7dd4925d3190b7a5deb222390c5ea\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44},{"id":7901820,"ip":"58.51.241.4","ts":"2026-05-28 19:12:38.000000","proto":"tcp","src_port":863,"dst_port":1080,"service":"socks","classification":"port_scan_fast","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.5852269382093667, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Chinanet\u0022, \u0022service\u0022: \u0022socks\u0022, \u0022app_proto\u0022: \u0022socks\u0022, \u0022asn\u0022: 4134, \u0022country\u0022: \u0022CN\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 88, \u0022campaign_key\u0022: \u0022ab10396e996ac9be00372c7fda20f1a958811452\u0022, \u0022event_fingerprint\u0022: \u0022c7fe2f49ac86051bb21ee6bbb7aaf3b351e816af\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":44}],"total_events":6244}