{"ip":"59.127.68.36","exported_at":"2026-06-19T03:38:06+00:00","period_days":7,"metrics":{"events7d":15,"distinct_ports":6,"distinct_classifications":10,"max_severity":9,"last_sensor_id":"paris-1","max_waf_score":19,"max_risk_score":100,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["unknown"],"recommended_action":"monitor","confidence":0.49,"risk_breakdown":{"waf":8,"classification":38,"behavior":0,"geo":0,"protocol":22,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":9,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 35\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":38,"behavior":0,"geo":0,"protocol":22,"novelty":0,"risk_score":35},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":49,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0348"],"tags_summary":["pat-0348"],"attack_vector":"port 81 tcp \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000","port":81,"service":"http-alt-81","service_label_fr":"HTTP ALT 81"},"protocol_summary_fr":"Payload \u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u0003 \u00b7 HTTP ALT 81:81","evidence_snippet":"\ufffd","target_port_label":"81 \u00b7 HTTP ALT 81","emulator_service":"http-alt-81","confidence_reason":"Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes","classification_reason":"Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%","classification_reason_label_fr":"Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%","confidence_factors_fr":"Confiance 49 % \u2014 Score WAF 8","payload_preview":"\ufffd"},"events":[{"id":9138771,"ip":"59.127.68.36","ts":"2026-06-15 12:09:27.000000","proto":"tcp","src_port":61777,"dst_port":81,"service":"http-alt-81","classification":"port_81_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: \u0022http-alt-81\u0022, \u0022app_proto\u0022: \u0022http-alt-81\u0022, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223f22551d39a092b08990354bd45c12679c434288\u0022, \u0022event_fingerprint\u0022: \u0022da8b22a909c287a6570bb2c7dce20fa4de2070cb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022service_name\u0022: \u0022http-alt-81\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022844041c5e4042c15d8ec9854632386ec\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http-alt-81\u0022, \u0022service_name\u0022: \u0022http-alt-81\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bae379cf60f0c198eee7c95775d7a1dcd0b04066\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http-alt-81\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 81\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 81 tcp \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP ALT 81\u0022, \u0022emulator_service\u0022: \u0022http-alt-81\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http-alt-81\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 81\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http-alt-81\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http-alt-81\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 81\u0022}, \u0022attack_vector\u0022: \u0022port 81 tcp \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP ALT 81\u0022, \u0022emulator_service\u0022: \u0022http-alt-81\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http_alt_81\u0022, \u0022service_banner\u0022: \u0022honeypot-http-alt-81\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":9125759,"ip":"59.127.68.36","ts":"2026-06-15 10:15:36.000000","proto":"tcp","src_port":63117,"dst_port":82,"service":null,"classification":"port_82_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221db0c25c3e7fa7ce5373b024112f1cb734246e51\u0022, \u0022event_fingerprint\u0022: \u0022c4397f46a06da32deca07047a24c1b5a9b08c7f0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_82_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u002252e0bf4ab2b799978888079f70574e70\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_82_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224c35775cc8acea962a9e61726ebd3510698b805b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 82}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 82 tcp \u00b7 port 82 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002282\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_82_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_82_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 82}, \u0022attack_vector\u0022: \u0022port 82 tcp \u00b7 port 82 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u002282\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":9123912,"ip":"59.127.68.36","ts":"2026-06-15 09:40:09.000000","proto":"tcp","src_port":62408,"dst_port":83,"service":null,"classification":"port_83_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 83, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a260732dc0a8c1540f02d73f462708a767e1c8c\u0022, \u0022event_fingerprint\u0022: \u00223ef2b49f44b2eb006b7bd03a961ab342deda739e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_83_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u00224a7b1a8d783e67d2ff3c8db2a91e8e5d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 83, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_83_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229738cfa545e4c263ce8618c02fa738917a063ff7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 83}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 83 tcp \u00b7 port 83 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002283\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_83_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_83_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 83, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 83}, \u0022attack_vector\u0022: \u0022port 83 tcp \u00b7 port 83 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u002283\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002283\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":9123216,"ip":"59.127.68.36","ts":"2026-06-15 09:26:56.000000","proto":"tcp","src_port":49376,"dst_port":84,"service":null,"classification":"port_84_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 84, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224f3d8d4e3a9c9318ea39313050033868d1f60ec3\u0022, \u0022event_fingerprint\u0022: \u0022546285452bbd5f8ce47d091da5a63c6de86c6f50\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_84_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022cfac7605fc5aa8c0117c3c6e17eca918\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 84, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_84_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228df68b1432976dc8cdca3345c6556e9c9321c869\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 84}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 84 tcp \u00b7 port 84 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002284\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_84_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_84_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 84, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 84}, \u0022attack_vector\u0022: \u0022port 84 tcp \u00b7 port 84 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u002284\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002284\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":9117521,"ip":"59.127.68.36","ts":"2026-06-15 07:32:52.000000","proto":"tcp","src_port":58984,"dst_port":86,"service":null,"classification":"port_86_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 19, \u0022payload_entropy\u0022: 1.8784775129881184, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 86, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224af089b9507a1e70353dc0c085550f8cbb8850d3\u0022, \u0022event_fingerprint\u0022: \u0022c8710676a0b481b56d1f6f8d9084f121bafccb94\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_86_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c7fc4bd4bc65329ae66eeb0073ae405e\u0022, \u0022path_pattern_hash\u0022: \u0022839ab593b10093c44b3ee061995f9bf0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 86, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_86_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eb6bae1f37f1530793d02e948cf268e21a9cbb33\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 86}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 86 tcp \u00b7 port 86 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002286\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_86_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_86_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 86, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0013\\u000e\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 86}, \u0022attack_vector\u0022: \u0022port 86 tcp \u00b7 port 86 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u002286\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002286\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":19},{"id":8892008,"ip":"59.127.68.36","ts":"2026-06-14 12:31:32.000000","proto":"tcp","src_port":63527,"dst_port":81,"service":"http","classification":"phpmyadmin_probe","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/phpmyadmin\/index.php","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00222c635ad650d01cbd2c0fc2f45522f3404c434adb\u0022, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022d9d69039afb2ecff72da068cd4d55fa567bb6898\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 351, \u0022payload_entropy\u0022: 5.5287391053057116, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a886725ae9475813b11f768804373ed1f70031c9\u0022, \u0022event_fingerprint\u0022: \u002280062ff12119bb8ef5f3382ec0709c0e95467fb4\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 140, \u0022precision_signals\u0022: [\u0022INT-SEC-phpmyadmin\u0022, \u0022pat-0747\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-SEC-phpmyadmin\u0022, \u0022pat-0747\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0747\u0022, \u0022pat-0269\u0022, \u0022pat-0270\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022Sigma phpMyAdmin\u0022, \u0022Probe \/phpMyAdmin\/\u0022, \u0022Probe \/phpmyadmin\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0747\u0022, \u0022pat-0269\u0022, \u0022pat-0270\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022adf894d47d9cb903c775334ed0de578a\u0022, \u0022payload_hash\u0022: \u00222818482c928651ab83a04ab363403b43\u0022, \u0022path_pattern_hash\u0022: \u00223c30a6d153f9af65c86ed8ad22dc540a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/phpmyadmin\/index.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8\\r\\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) A\u0022, \u0022payload_snippet\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/phpmyadmin\/index.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8\\r\\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) A\u0022, \u0022payload_snippet\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002286f3c1944c11508a56707bd90566eabfa6e4cdc7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/phpmyadmin\/index.php\u0022, \u0022request_line\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022attack_vector\u0022: \u0022phpmyadmin probe \u00b7 via HTTP:81 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/phpmyadmin\/index.php\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-SEC-phpmyadmin\u0022, \u0022pat-0747\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Sonde phpMyAdmin\u0022, \u0022pat-0747\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/phpmyadmin\/index.php\u0022, \u0022request_line\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022phpmyadmin probe \u00b7 via HTTP:81 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/phpmyadmin\/index.php\u0022, \u0022evidence_snippet\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_phpmyadmin_probe\u0022, \u0022http_probe_phpmyadmin\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_phpmyadmin_probe\u0022, \u0022http_probe_phpmyadmin\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":351},{"id":8892009,"ip":"59.127.68.36","ts":"2026-06-14 12:31:32.000000","proto":"tcp","src_port":63558,"dst_port":81,"service":"http","classification":"xss_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/pmd\/index.php","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00222c635ad650d01cbd2c0fc2f45522f3404c434adb\u0022, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u00228d1717e978103288d9531d8d7a2d4c48c6174cd4\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 344, \u0022payload_entropy\u0022: 5.525367529934442, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022adab595e4331d7bec6b986c47697fca4df234d1c\u0022, \u0022event_fingerprint\u0022: \u002203f165a284065acd797d60b56c46199b5f717efd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022adf894d47d9cb903c775334ed0de578a\u0022, \u0022payload_hash\u0022: \u002272fce6c2a0f6123d8ecae7ea7c3ebc95\u0022, \u0022path_pattern_hash\u0022: \u0022d10368097e2d26bf37929d712babb32d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/pmd\/index.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8\\r\\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb\u0022, \u0022payload_snippet\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/pmd\/index.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8\\r\\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb\u0022, \u0022payload_snippet\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022670318d09479f80e533528cb3eb9a49225a8e3c7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/pmd\/index.php\u0022, \u0022request_line\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/pmd\/index.php\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/pmd\/index.php\u0022, \u0022request_line\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/pmd\/index.php\u0022, \u0022evidence_snippet\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":344},{"id":8891409,"ip":"59.127.68.36","ts":"2026-06-14 12:27:00.000000","proto":"tcp","src_port":49402,"dst_port":82,"service":"http","classification":"xss_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/pmd\/index.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00222c635ad650d01cbd2c0fc2f45522f3404c434adb\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u00228d1717e978103288d9531d8d7a2d4c48c6174cd4\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 344, \u0022payload_entropy\u0022: 5.528987043009548, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226c0b9fe95853a2a15b214b1f6b937416914203bf\u0022, \u0022event_fingerprint\u0022: \u0022d5ef5bc29d5c346f3b4f9102f47df3fbd11e09b4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022adf894d47d9cb903c775334ed0de578a\u0022, \u0022payload_hash\u0022: \u002272fce6c2a0f6123d8ecae7ea7c3ebc95\u0022, \u0022path_pattern_hash\u0022: \u0022d10368097e2d26bf37929d712babb32d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/pmd\/index.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8\\r\\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb\u0022, \u0022payload_snippet\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/pmd\/index.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8\\r\\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb\u0022, \u0022payload_snippet\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002209e7b4b4b4329a46518980e91ea8aa7ca9d6b304\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/pmd\/index.php\u0022, \u0022request_line\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/pmd\/index.php\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 49}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/pmd\/index.php\u0022, \u0022request_line\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via HTTP:82 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/pmd\/index.php\u0022, \u0022evidence_snippet\u0022: \u0022GET \/pmd\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,im\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":9,"bytes_in":344},{"id":8891407,"ip":"59.127.68.36","ts":"2026-06-14 12:26:59.000000","proto":"tcp","src_port":49340,"dst_port":82,"service":"http","classification":"phpmyadmin_probe","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/phpmyadmin\/index.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00222c635ad650d01cbd2c0fc2f45522f3404c434adb\u0022, \u0022http_host_hash\u0022: \u0022b00c56701bd04898edc8a488547d32d613363649\u0022, \u0022http_target_hash\u0022: \u0022d9d69039afb2ecff72da068cd4d55fa567bb6898\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 351, \u0022payload_entropy\u0022: 5.532286434359378, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 82, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224c941fbb01761ff5367fc9f90be070eea96d5b4a\u0022, \u0022event_fingerprint\u0022: \u0022ec9378bb93c02782d8c2529a3e31f21164b2f9cc\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 140, \u0022precision_signals\u0022: [\u0022INT-SEC-phpmyadmin\u0022, \u0022pat-0747\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-SEC-phpmyadmin\u0022, \u0022pat-0747\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0747\u0022, \u0022pat-0269\u0022, \u0022pat-0270\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022Sigma phpMyAdmin\u0022, \u0022Probe \/phpMyAdmin\/\u0022, \u0022Probe \/phpmyadmin\/\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0747\u0022, \u0022pat-0269\u0022, \u0022pat-0270\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022adf894d47d9cb903c775334ed0de578a\u0022, \u0022payload_hash\u0022: \u00222818482c928651ab83a04ab363403b43\u0022, \u0022path_pattern_hash\u0022: \u00223c30a6d153f9af65c86ed8ad22dc540a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/phpmyadmin\/index.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8\\r\\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) A\u0022, \u0022payload_snippet\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/phpmyadmin\/index.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8\\r\\nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,ko;q=0.4\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) A\u0022, \u0022payload_snippet\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227b2d66ed3621197b8bcdcded85f6ed36962cbfa3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/phpmyadmin\/index.php\u0022, \u0022request_line\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022attack_vector\u0022: \u0022phpmyadmin probe \u00b7 via HTTP:82 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/phpmyadmin\/index.php\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1595 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 82, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-SEC-phpmyadmin\u0022, \u0022pat-0747\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Sonde phpMyAdmin\u0022, \u0022pat-0747\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/phpmyadmin\/index.php\u0022, \u0022request_line\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36\u0022, \u0022port\u0022: 82, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022phpmyadmin probe \u00b7 via HTTP:82 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/phpmyadmin\/index.php\u0022, \u0022evidence_snippet\u0022: \u0022GET \/phpmyadmin\/index.php HTTP\/1.1\\r\\nConnection: Keep-Alive\\r\\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/\u0022, \u0022target_port_label\u0022: \u002282 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002282\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_phpmyadmin_probe\u0022, \u0022http_probe_phpmyadmin\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:82","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3464.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_phpmyadmin_probe\u0022, \u0022http_probe_phpmyadmin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":9,"bytes_in":351},{"id":8829373,"ip":"59.127.68.36","ts":"2026-06-13 16:17:38.000000","proto":"tcp","src_port":60827,"dst_port":81,"service":"http-alt-81","classification":"http-alt-81","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 95, \u0022payload_entropy\u0022: 4.693033402864555, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: \u0022http-alt-81\u0022, \u0022app_proto\u0022: \u0022http-alt-81\u0022, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002278af023cf79e2cc551b3bc717eee4762bcf624d5\u0022, \u0022event_fingerprint\u0022: \u0022da8b22a909c287a6570bb2c7dce20fa4de2070cb\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022http-alt-81\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226c5baa0340f3375104f686d3d2c9e499\u0022, \u0022path_pattern_hash\u0022: \u002296b5770472eb71fcb1b2ba3134979c11\u0022, \u0022ja3\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022ja4\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022tls_version\u0022: \u00220x0301\u0022, \u0022tls_cipher_count\u0022: 7, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3_hash\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022tls_ja3\u0022: \u0022769,49162-49161-49172-49171-53-47-10,10-11-35-23-65281,29-23-24,0\u0022, \u0022tls_ja4_hash\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022tls_ja4\u0022: \u0022t13d0107_b7265d80ddb0_28135b4947ef\u0022, \u0022tls_version\u0022: \u00220x0301\u0022, \u0022tls_cipher_count\u0022: 7, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http-alt-81\u0022, \u0022service_name\u0022: \u0022http-alt-81\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\\u0007N\\u0011\ufffd\\u001d^K\ufffdz\ufffdRl\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\\u0007N\\u0011\ufffd\\u001d^K\ufffdz\ufffdRl\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\\u0007N\\u0011\ufffd\\u001d^K\ufffdz\ufffdRl\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\\u0007N\\u0011\ufffd\\u001d^K\ufffdz\ufffdRl\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\\u0007N\\u0011\ufffd\\u001d^K\ufffdz\ufffdRl\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002258194eef604a306f756ff2b535e4164bf8fc7313\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\\u0007N\\u0011\ufffd\\u001d^K\ufffdz\ufffdRl\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022tls_ja3\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022tls_ja4\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http-alt-81\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 81\u0022}, \u0022evidence_snippet\u0022: \u0022ZVj-\ufffd\ufffd\ufffd\ufffd\ufffd-u\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;N\ufffd^K\ufffdz\ufffdRl\ufffd\ufffd\\n\ufffd\\t\ufffd\ufffd5\/\\n\\n#\ufffd\u0022, \u0022attack_vector\u0022: \u0022http-alt-81 \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP ALT 81\u0022, \u0022emulator_service\u0022: \u0022http-alt-81\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http-alt-81\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 81\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http-alt-81\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffd\ufffd\ufffd\ufffd-u\\u001d\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;\\u0007N\\u0011\ufffd\\u001d^K\ufffdz\ufffdRl\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022tls_ja3\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022tls_ja4\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http-alt-81\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 81\u0022}, \u0022attack_vector\u0022: \u0022http-alt-81 \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022ZVj-\ufffd\ufffd\ufffd\ufffd\ufffd-u\ufffd\ufffdJ\ufffd\u07f1\ufffd\ufffd;N\ufffd^K\ufffdz\ufffdRl\ufffd\ufffd\\n\ufffd\\t\ufffd\ufffd5\/\\n\\n#\ufffd\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP ALT 81\u0022, \u0022emulator_service\u0022: \u0022http-alt-81\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http_alt_81\u0022, \u0022service_banner\u0022: \u0022honeypot-http-alt-81\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-81\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":95},{"id":8829370,"ip":"59.127.68.36","ts":"2026-06-13 16:17:37.000000","proto":"tcp","src_port":60769,"dst_port":81,"service":"http","classification":"config_file_probe","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950613:tomcat-manager\u0022]","http_method":"GET","http_target":"\/manager\/html","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002271582f7cec1d198915fac5fc7c73ef396f2954d6\u0022, \u0022http_host_hash\u0022: \u0022f257870e26046e30cbd03e9d5726ca53aa58b86f\u0022, \u0022http_target_hash\u0022: \u0022471948290e7410d0a5241ee075d920bc17a92486\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 217, \u0022payload_entropy\u0022: 5.398633346153425, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 78, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220f5773248a66dfbd80b14ff58a53b6a44fb2fcf0\u0022, \u0022event_fingerprint\u0022: \u0022d4d06c09462605e92212dae3cbea23c1f3ddfd41\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0856\u0022, \u0022pat-0265\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Tomcat manager\u0022, \u0022Probe \/manager\/html\u0022], \u0022pattern_ids\u0022: [\u0022pat-0856\u0022, \u0022pat-0265\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 78}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222da35aefb7eec9447dea0b632e44eff7\u0022, \u0022payload_hash\u0022: \u00223fe5a0ff1bb3ff978f924a2f9ec545cb\u0022, \u0022path_pattern_hash\u0022: \u00222a5bd2a503123c9365f0cfa2aeeb56d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 78}, \u0022payload_preview\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept:\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/manager\/html\u0022, \u0022user_agent\u0022: \u0022User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950613:tomcat-manager\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022tomcat-manager\u0022], \u0022request_line\u0022: \u0022GET \/manager\/html HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept: *\/*\\r\\nAccept-Language: zh-cn,en-us;q=0.5\\r\\nHost: 62.3.50.33:81\\r\\nConnection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/manager\/html\u0022, \u0022user_agent\u0022: \u0022User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950613:tomcat-manager\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022tomcat-manager\u0022], \u0022request_line\u0022: \u0022GET \/manager\/html HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept: *\/*\\r\\nAccept-Language: zh-cn,en-us;q=0.5\\r\\nHost: 62.3.50.33:81\\r\\nConnection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept:\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ffad68b435828cc095d10d6b6dfc94a7d8bcb275\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/manager\/html\u0022, \u0022request_line\u0022: \u0022GET \/manager\/html HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept:\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/manager\/html\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 78\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 78}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 78, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/manager\/html\u0022, \u0022request_line\u0022: \u0022GET \/manager\/html HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:81 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/manager\/html\u0022, \u0022evidence_snippet\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept:\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950613:tomcat-manager\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_metasploit_ua\u0022, \u0022http_probe_manager\u0022, \u0022http_sensitive_path\u0022, \u0022http_tomcat_manager_probe\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:81","http_user_agent":"User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950613:tomcat-manager\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_metasploit_ua\u0022, \u0022http_probe_manager\u0022, \u0022http_sensitive_path\u0022, \u0022http_tomcat_manager_probe\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":217},{"id":8829372,"ip":"59.127.68.36","ts":"2026-06-13 16:17:37.000000","proto":"tcp","src_port":60799,"dst_port":81,"service":"http-alt-81","classification":"http-alt-81","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 95, \u0022payload_entropy\u0022: 4.611608797669717, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: \u0022http-alt-81\u0022, \u0022app_proto\u0022: \u0022http-alt-81\u0022, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 81, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002278af023cf79e2cc551b3bc717eee4762bcf624d5\u0022, \u0022event_fingerprint\u0022: \u0022da8b22a909c287a6570bb2c7dce20fa4de2070cb\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022http-alt-81\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221723523162c4a6b7530203edbfe60b67\u0022, \u0022path_pattern_hash\u0022: \u002296b5770472eb71fcb1b2ba3134979c11\u0022, \u0022ja3\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022ja4\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022tls_version\u0022: \u00220x0301\u0022, \u0022tls_cipher_count\u0022: 7, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3_hash\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022tls_ja3\u0022: \u0022769,49162-49161-49172-49171-53-47-10,10-11-35-23-65281,29-23-24,0\u0022, \u0022tls_ja4_hash\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022tls_ja4\u0022: \u0022t13d0107_b7265d80ddb0_28135b4947ef\u0022, \u0022tls_version\u0022: \u00220x0301\u0022, \u0022tls_cipher_count\u0022: 7, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 81, \u0022service\u0022: \u0022http-alt-81\u0022, \u0022service_name\u0022: \u0022http-alt-81\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffdqy\\u0018C\ufffd\ufffd\\u0017\\nq\u0027\ufffdH\ufffd#@k1\\u0017\ufffd}\ufffd;~V\\u000f\\u0007~\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffdqy\\u0018C\ufffd\ufffd\\u0017\\nq\u0027\ufffdH\ufffd#@k1\\u0017\ufffd}\ufffd;~V\\u000f\\u0007~\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffdqy\\u0018C\ufffd\ufffd\\u0017\\nq\u0027\ufffdH\ufffd#@k1\\u0017\ufffd}\ufffd;~V\\u000f\\u0007~\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffdqy\\u0018C\ufffd\ufffd\\u0017\\nq\u0027\ufffdH\ufffd#@k1\\u0017\ufffd}\ufffd;~V\\u000f\\u0007~\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffdqy\\u0018C\ufffd\ufffd\\u0017\\nq\u0027\ufffdH\ufffd#@k1\\u0017\ufffd}\ufffd;~V\\u000f\\u0007~\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225709b5f30b144b068870681df0bc4a2ef244405b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffdqy\\u0018C\ufffd\ufffd\\u0017\\nq\u0027\ufffdH\ufffd#@k1\\u0017\ufffd}\ufffd;~V\\u000f\\u0007~\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022tls_ja3\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022tls_ja4\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http-alt-81\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 81\u0022}, \u0022evidence_snippet\u0022: \u0022ZVj-\ufffd\ufffdqyC\ufffd\ufffd\\nq\u0027\ufffdH\ufffd#@k1\ufffd}\ufffd;~V~\ufffd\ufffd\\n\ufffd\\t\ufffd\ufffd5\/\\n\\n#\ufffd\u0022, \u0022attack_vector\u0022: \u0022http-alt-81 \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP ALT 81\u0022, \u0022emulator_service\u0022: \u0022http-alt-81\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http-alt-81 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http-alt-81\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 81\u0022, \u0022dst_port\u0022: 81, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http-alt-81\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-\ufffd\ufffdqy\\u0018C\ufffd\ufffd\\u0017\\nq\u0027\ufffdH\ufffd#@k1\\u0017\ufffd}\ufffd;~V\\u000f\\u0007~\ufffd\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022tls_ja3\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022tls_ja4\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022port\u0022: 81, \u0022service\u0022: \u0022http-alt-81\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 81\u0022}, \u0022attack_vector\u0022: \u0022http-alt-81 \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022ZVj-\ufffd\ufffdqyC\ufffd\ufffd\\nq\u0027\ufffdH\ufffd#@k1\ufffd}\ufffd;~V~\ufffd\ufffd\\n\ufffd\\t\ufffd\ufffd5\/\\n\\n#\ufffd\u0022, \u0022target_port_label\u0022: \u002281 \u00b7 HTTP ALT 81\u0022, \u0022emulator_service\u0022: \u0022http-alt-81\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http_alt_81\u0022, \u0022service_banner\u0022: \u0022honeypot-http-alt-81\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002281\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-81\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":95},{"id":8826192,"ip":"59.127.68.36","ts":"2026-06-13 15:33:15.000000","proto":"tcp","src_port":53808,"dst_port":85,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 3, \u0022bytes_in\u0022: 95, \u0022payload_entropy\u0022: 4.660794289175406, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 85, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231a047642b29cfbe29d3a33bc466b99d2bddbb3d\u0022, \u0022event_fingerprint\u0022: \u0022ff2a49f50cf316ab588daa86e8c6e68a902114f8\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022payload_hash\u0022: \u0022447919c0d7072fe2e15f4b086da370f6\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022, \u0022ja4\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022tls_version\u0022: \u00220x0301\u0022, \u0022tls_cipher_count\u0022: 7, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022769,49162-49161-49172-49171-53-47-10,10-11-35-23-65281,29-23-24,0\u0022, \u0022tls_ja4_hash\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022tls_ja4\u0022: \u0022t13d0107_b7265d80ddb0_28135b4947ef\u0022, \u0022tls_version\u0022: \u00220x0301\u0022, \u0022tls_cipher_count\u0022: 7, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 85, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\\u0000\ufffdv\u0026\\u0001\\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\\u001d\u003CX\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\\u0000\ufffdv\u0026\\u0001\\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\\u001d\u003CX\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\\u0000\ufffdv\u0026\\u0001\\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\\u001d\u003CX\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\\u0000\ufffdv\u0026\\u0001\\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\\u001d\u003CX\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\\u0000\ufffdv\u0026\\u0001\\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\\u001d\u003CX\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002212fc1ffe80351de5d0db9ee2222464afeb1849e0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\\u0000\ufffdv\u0026\\u0001\\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\\u001d\u003CX\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022tls_ja3\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022tls_ja4\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022port\u0022: 85, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022ZVj-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\ufffdv\u0026\ufffdt\ufffdvm\ufffdq\ufffd}N\u003CX\ufffd\\n\ufffd\\t\ufffd\ufffd5\/\\n\\n#\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:85 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002285 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 85, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\\u0000\ufffdv\u0026\\u0001\\u001c\ufffdt\ufffdvm\ufffdq\ufffd}N\\u001d\u003CX\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022tls_ja3\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022tls_ja4\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022port\u0022: 85, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:85 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022ZVj-xB\ufffd\ufffd\ufffdz\ufffd\ufffd\u05e4\ufffd\ufffdv\u0026\ufffdt\ufffdvm\ufffdq\ufffd}N\u003CX\ufffd\\n\ufffd\\t\ufffd\ufffd5\/\\n\\n#\ufffd\u0022, \u0022target_port_label\u0022: \u002285 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002285\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"fc54e0d16d9764783542f0146a98b300","tls_ja3":"769,49162-49161-49172-49171-53-47-10,10-11-35-23-65281,29-23-24,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":95},{"id":8826193,"ip":"59.127.68.36","ts":"2026-06-13 15:33:15.000000","proto":"tcp","src_port":53865,"dst_port":85,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 3, \u0022bytes_in\u0022: 95, \u0022payload_entropy\u0022: 4.645767876594312, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 85, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002231a047642b29cfbe29d3a33bc466b99d2bddbb3d\u0022, \u0022event_fingerprint\u0022: \u0022ff2a49f50cf316ab588daa86e8c6e68a902114f8\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022payload_hash\u0022: \u00227414fc280838c39477c0ceb44b1fd3a2\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022, \u0022ja4\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022tls_version\u0022: \u00220x0301\u0022, \u0022tls_cipher_count\u0022: 7, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022769,49162-49161-49172-49171-53-47-10,10-11-35-23-65281,29-23-24,0\u0022, \u0022tls_ja4_hash\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022tls_ja4\u0022: \u0022t13d0107_b7265d80ddb0_28135b4947ef\u0022, \u0022tls_version\u0022: \u00220x0301\u0022, \u0022tls_cipher_count\u0022: 7, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 85, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xBTs *\ufffdv2*\ufffdql\\u0010\ufffdjA\\u0002\ufffd\\u0017\\u001f\\n\ufffd\ufffd\ufffd8\\u001dK\ufffdv\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xBTs *\ufffdv2*\ufffdql\\u0010\ufffdjA\\u0002\ufffd\\u0017\\u001f\\n\ufffd\ufffd\ufffd8\\u001dK\ufffdv\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xBTs *\ufffdv2*\ufffdql\\u0010\ufffdjA\\u0002\ufffd\\u0017\\u001f\\n\ufffd\ufffd\ufffd8\\u001dK\ufffdv\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xBTs *\ufffdv2*\ufffdql\\u0010\ufffdjA\\u0002\ufffd\\u0017\\u001f\\n\ufffd\ufffd\ufffd8\\u001dK\ufffdv\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xBTs *\ufffdv2*\ufffdql\\u0010\ufffdjA\\u0002\ufffd\\u0017\\u001f\\n\ufffd\ufffd\ufffd8\\u001dK\ufffdv\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dd87711b3cf5d906c3efdab49047a25f8f810092\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xBTs *\ufffdv2*\ufffdql\\u0010\ufffdjA\\u0002\ufffd\\u0017\\u001f\\n\ufffd\ufffd\ufffd8\\u001dK\ufffdv\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022tls_ja3\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022tls_ja4\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022port\u0022: 85, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022ZVj-xBTs *\ufffdv2*\ufffdql\ufffdjA\ufffd\\n\ufffd\ufffd\ufffd8K\ufffdv\ufffd\\n\ufffd\\t\ufffd\ufffd5\/\\n\\n#\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:85 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002285 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 85, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000Z\\u0001\\u0000\\u0000V\\u0003\\u0001j-xBTs *\ufffdv2*\ufffdql\\u0010\ufffdjA\\u0002\ufffd\\u0017\\u001f\\n\ufffd\ufffd\ufffd8\\u001dK\ufffdv\\u0000\\u0000\\u000e\ufffd\\n\ufffd\\t\ufffd\\u0014\ufffd\\u0013\\u00005\\u0000\/\\u0000\\n\\u0001\\u0000\\u0000\\u001f\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022tls_ja3\u0022: \u0022fc54e0d16d9764783542f0146a98b300\u0022, \u0022tls_ja4\u0022: \u00223ab2335e12df1a4a6be80ed5e53cce26\u0022, \u0022port\u0022: 85, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:85 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022ZVj-xBTs *\ufffdv2*\ufffdql\ufffdjA\ufffd\\n\ufffd\ufffd\ufffd8K\ufffdv\ufffd\\n\ufffd\\t\ufffd\ufffd5\/\\n\\n#\ufffd\u0022, \u0022target_port_label\u0022: \u002285 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002285\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"fc54e0d16d9764783542f0146a98b300","tls_ja3":"769,49162-49161-49172-49171-53-47-10,10-11-35-23-65281,29-23-24,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":95},{"id":8826191,"ip":"59.127.68.36","ts":"2026-06-13 15:33:14.000000","proto":"tcp","src_port":53745,"dst_port":85,"service":"http","classification":"config_file_probe","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950613:tomcat-manager\u0022]","http_method":"GET","http_target":"\/manager\/html","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002271582f7cec1d198915fac5fc7c73ef396f2954d6\u0022, \u0022http_host_hash\u0022: \u002229631142709d39bee607e41cbb81ae54d3741f51\u0022, \u0022http_target_hash\u0022: \u0022471948290e7410d0a5241ee075d920bc17a92486\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 217, \u0022payload_entropy\u0022: 5.396953493726696, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 3462, \u0022country\u0022: \u0022TW\u0022, \u0022dst_port\u0022: 85, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 78, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220e3b7c0857bc670d28d149d776fedc21ea8b6b0a\u0022, \u0022event_fingerprint\u0022: \u002257bf439c0ca87c04b5b0ac2dfa7f3d0e74bb8755\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0856\u0022, \u0022pat-0265\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Tomcat manager\u0022, \u0022Probe \/manager\/html\u0022], \u0022pattern_ids\u0022: [\u0022pat-0856\u0022, \u0022pat-0265\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 78}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TW\u0022, \u0022asn\u0022: 3462, \u0022org\u0022: \u0022Data Communication Business Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222da35aefb7eec9447dea0b632e44eff7\u0022, \u0022payload_hash\u0022: \u0022064be40181a4dff399b6e5393eda6616\u0022, \u0022path_pattern_hash\u0022: \u00222a5bd2a503123c9365f0cfa2aeeb56d1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 85, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 78}, \u0022payload_preview\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept:\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/manager\/html\u0022, \u0022user_agent\u0022: \u0022User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950613:tomcat-manager\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022tomcat-manager\u0022], \u0022request_line\u0022: \u0022GET \/manager\/html HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept: *\/*\\r\\nAccept-Language: zh-cn,en-us;q=0.5\\r\\nHost: 62.3.50.33:85\\r\\nConnection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/manager\/html\u0022, \u0022user_agent\u0022: \u0022User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950613:tomcat-manager\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022tomcat-manager\u0022], \u0022request_line\u0022: \u0022GET \/manager\/html HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept: *\/*\\r\\nAccept-Language: zh-cn,en-us;q=0.5\\r\\nHost: 62.3.50.33:85\\r\\nConnection: Keep-Alive\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept:\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220a0e84a9462862b809de75ccf53e080580a97ff4\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/manager\/html\u0022, \u0022request_line\u0022: \u0022GET \/manager\/html HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\u0022, \u0022port\u0022: 85, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept:\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:85 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/manager\/html\u0022, \u0022target_port_label\u0022: \u002285 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 78\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 78}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 78, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 85, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/manager\/html\u0022, \u0022request_line\u0022: \u0022GET \/manager\/html HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\u0022, \u0022port\u0022: 85, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:85 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/manager\/html\u0022, \u0022evidence_snippet\u0022: \u0022GET \/manager\/html HTTP\/1.1\\r\\nUser-Agent: User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705\\r\\nAccept:\u0022, \u0022target_port_label\u0022: \u002285 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002285\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950613:tomcat-manager\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_metasploit_ua\u0022, \u0022http_probe_manager\u0022, \u0022http_sensitive_path\u0022, \u0022http_tomcat_manager_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:85","http_user_agent":"User-Agent:Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950613:tomcat-manager\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_metasploit_ua\u0022, \u0022http_probe_manager\u0022, \u0022http_sensitive_path\u0022, \u0022http_tomcat_manager_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":217}],"total_events":15}