{"ip":"80.66.66.38","exported_at":"2026-07-19T13:39:37+00:00","period_days":30,"metrics":{"events7d":174,"distinct_ports":101,"distinct_classifications":2,"max_severity":7,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":50,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":8,"classification":52,"behavior":0,"geo":0,"protocol":0,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":172,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":52,"behavior":0,"geo":0,"protocol":0,"novelty":0,"risk_score":50,"correlation_boost":8},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["multi_protocol_correlation"],"correlation_flags_labels_fr":["Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":100,"confidence_hint_fr":"Corr\u00e9lation +8","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0347","pat-0348"],"tags_summary":["pat-0347","pat-0348"],"attack_vector":"rdp probe \u00b7 port 6011 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"\u0003\u0000\u0000\/*\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=Administr\r\n\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000","port":6011},"protocol_summary_fr":"Payload \u0003\u0000\u0000\/*\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=Administr\r\n\u0001\u0000\b\u0000\u0003","evidence_snippet":"\/*\ufffdCookie: mstshash=Administr","target_port_label":"6011","emulator_service":null,"confidence_reason":"Confiance 100 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%","classification_reason_label_fr":"Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8","payload_preview":"\/*\ufffdCookie: mstshash=Administr"},"events":[{"id":12828375,"ip":"80.66.66.38","ts":"2026-07-19 02:48:42.000000","proto":"tcp","src_port":63094,"dst_port":6011,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 6011, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002272c8e2c08486e7d5ea70b35f4b06646f7ba10cb2\u0022, \u0022event_fingerprint\u0022: \u002271fe5749a19ccfaf8321f0a529367a742af85fe2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6011, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227429c598328a82830c02ee795d5a472df25b9e55\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 6011}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 6011 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226011\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 6011, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 6011}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 6011 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00226011\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226011\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:13391\u0022, \u0022port:6011\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12828234,"ip":"80.66.66.38","ts":"2026-07-19 02:46:32.000000","proto":"tcp","src_port":63649,"dst_port":13391,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 13391, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022925063cdaa4f4a2a7495bcd5d10b45474b4979e2\u0022, \u0022event_fingerprint\u0022: \u0022cf5765db44710740c838c009abe93a2a95fc65cf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 13391, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224c91b13af1e3357854a8f57b311e93ee8f59fda6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 13391}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 13391 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002213391\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 13391, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 13391}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 13391 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002213391\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002213391\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12827730,"ip":"80.66.66.38","ts":"2026-07-19 02:38:04.000000","proto":"tcp","src_port":63714,"dst_port":5515,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5515, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bc56bea35551c3c01f58df2550f3f6f7388af8a0\u0022, \u0022event_fingerprint\u0022: \u0022f08c387dc89092d87e227bd4d15b3ee58dd8b1bb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5515, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002252d34d26a75bf6e3d7f67a76222020c53fd66298\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5515}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 5515 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225515\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 5515, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5515}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 5515 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00225515\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225515\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12826656,"ip":"80.66.66.38","ts":"2026-07-19 02:19:51.000000","proto":"tcp","src_port":63071,"dst_port":31399,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 31399, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002201ee6145d82e7a4e264de936732d8530219878ad\u0022, \u0022event_fingerprint\u0022: \u0022a6f458816ea59d717b4858db41cfc773203bfbfa\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 31399, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228d7ee63fd13981ca80ca4d5363879f4e26d64823\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 31399}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 31399 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002231399\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 31399, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 31399}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 31399 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002231399\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002231399\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12825935,"ip":"80.66.66.38","ts":"2026-07-19 02:05:58.000000","proto":"tcp","src_port":65527,"dst_port":4039,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 4039, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228dc8fbbb051c7b13e736353e503c3d4072649a11\u0022, \u0022event_fingerprint\u0022: \u00228440b70028e933378756d8b022a5275b1f1ce42c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4039, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228176fe1e0c7ba853c6c7d97b775b594246b56b59\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4039}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 4039 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224039\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 4039, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4039}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 4039 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00224039\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224039\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12825544,"ip":"80.66.66.38","ts":"2026-07-19 01:59:43.000000","proto":"tcp","src_port":64964,"dst_port":11398,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 11398, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f8c6828621640a9710514199f6f183b57002bd78\u0022, \u0022event_fingerprint\u0022: \u0022db99af3d0209322417d3ab1924583aa22d90dc78\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 11398, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022912f060a583469d4ee21e7ed673954900b769c67\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 11398}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 11398 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002211398\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 11398, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 11398}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 11398 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002211398\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211398\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12821969,"ip":"80.66.66.38","ts":"2026-07-19 01:00:51.000000","proto":"tcp","src_port":63142,"dst_port":5050,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5050, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002249aa886608fa73ba56a5de63e306ce3919a33f0f\u0022, \u0022event_fingerprint\u0022: \u0022eeb1d404915ea1c6b5b562c3d062ba95da80930b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5050, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a09c78738c35114867fb1b25362a9296aeb63a58\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5050}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 5050 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225050\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 5050, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5050}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 5050 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00225050\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12820691,"ip":"80.66.66.38","ts":"2026-07-19 00:40:33.000000","proto":"tcp","src_port":64110,"dst_port":24010,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 24010, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002243b84a497c6e422449c0afe4bb186c43931da27c\u0022, \u0022event_fingerprint\u0022: \u0022dcd3a7cb60afc51ac2a40e6e7010b568418771df\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 24010, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022df556bba90abb8cf51bf6c9d18dfdaae87e6acc9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 24010}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 24010 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002224010\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 24010, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 24010}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 24010 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002224010\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002224010\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12819697,"ip":"80.66.66.38","ts":"2026-07-19 00:25:34.000000","proto":"tcp","src_port":63864,"dst_port":16393,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 16393, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022390675290e78010b16e5d1c6c7da4854d31bef3e\u0022, \u0022event_fingerprint\u0022: \u00224bfc14ce78a7dc51bc6fcc825b8f8c2d7f4a63f9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 16393, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221e699c651069250adaa52f28afcf3d2e0650d64a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 16393}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 16393 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002216393\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 16393, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 16393}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 16393 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002216393\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002216393\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12819205,"ip":"80.66.66.38","ts":"2026-07-19 00:17:40.000000","proto":"tcp","src_port":63389,"dst_port":4012,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 4012, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225ff19136440051e06f464647445a4d6d9a305cf2\u0022, \u0022event_fingerprint\u0022: \u002231976ed0244d0c0e0e18bc60e784ff0562f226bd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4012, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002267263e272046be13a56e9ca7b8de143615709c0a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4012}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 4012 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224012\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 4012, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4012}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 4012 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00224012\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224012\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12818667,"ip":"80.66.66.38","ts":"2026-07-19 00:08:42.000000","proto":"tcp","src_port":64998,"dst_port":5002,"service":"upnp-ssl","classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742075706e705f73736c20726561647920706f72743d353030320d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: \u0022upnp-ssl\u0022, \u0022app_proto\u0022: \u0022upnp-ssl\u0022, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204de0d8d85cda006f4214bf326a098012dadb231\u0022, \u0022event_fingerprint\u0022: \u002278838bed4de0be42bda35b043c5f75aeb5745302\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022upnp-ssl\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5002, \u0022service\u0022: \u0022upnp-ssl\u0022, \u0022service_name\u0022: \u0022upnp-ssl\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f0c6a11558bc77f5e5ae4f17e9d2195a5916ada9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5002, \u0022service\u0022: \u0022upnp-ssl\u0022, \u0022service_label_fr\u0022: \u0022UPNP SSL\u0022}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via UPNP SSL:5002 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225002 \u00b7 UPNP SSL\u0022, \u0022emulator_service\u0022: \u0022upnp-ssl\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via UPNP SSL \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022upnp-ssl\u0022, \u0022service_label_fr\u0022: \u0022UPNP SSL\u0022, \u0022dst_port\u0022: 5002, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-upnp-ssl\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5002, \u0022service\u0022: \u0022upnp-ssl\u0022, \u0022service_label_fr\u0022: \u0022UPNP SSL\u0022}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via UPNP SSL:5002 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00225002 \u00b7 UPNP SSL\u0022, \u0022emulator_service\u0022: \u0022upnp-ssl\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022upnp_ssl\u0022, \u0022service_banner\u0022: \u0022honeypot-upnp-ssl\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:5035\u0022, \u0022upnp-ssl\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12818443,"ip":"80.66.66.38","ts":"2026-07-19 00:04:58.000000","proto":"tcp","src_port":63831,"dst_port":5035,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5035, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d78b067a3246e30c897eac7e0df6a3419ce2e24\u0022, \u0022event_fingerprint\u0022: \u0022de4fef3e86a6993fa2426eeb7ee36600273ed544\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5035, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221530674e96bce03a69d1de48525c6c25e82eb724\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5035}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 5035 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225035\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 5035, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5035}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 5035 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00225035\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225035\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12817565,"ip":"80.66.66.38","ts":"2026-07-18 23:48:34.000000","proto":"tcp","src_port":64513,"dst_port":24004,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 24004, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227635f04121b1fd4b4e1dcb41256183f69b2a8ebb\u0022, \u0022event_fingerprint\u0022: \u00225258f37fa00801314bdd0c8d9793d0a9d7fb10ea\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 24004, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eb6b45d8967610382ed4ac52d10af60c661b8849\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 24004}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 24004 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002224004\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 24004, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 24004}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 24004 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002224004\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002224004\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:24004\u0022, \u0022port:31020\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12817374,"ip":"80.66.66.38","ts":"2026-07-18 23:45:26.000000","proto":"tcp","src_port":63333,"dst_port":31020,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 31020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002273bdea01334ec7dc1262411c1efdf8042ff68de0\u0022, \u0022event_fingerprint\u0022: \u00228dc2d5a75f4e6abe357214b26b9e99ad3632ff50\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 31020, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022022593bbb9bd95af7bf3f97bff8f2b9ff56d104a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 31020}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 31020 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002231020\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 31020, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 31020}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 31020 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002231020\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002231020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12815959,"ip":"80.66.66.38","ts":"2026-07-18 23:27:08.000000","proto":"tcp","src_port":63715,"dst_port":22211,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 22211, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c897e4dafada223788f275a86853d7dff23a266b\u0022, \u0022event_fingerprint\u0022: \u00229f7f366f7f4a5645984d3153492bbf0644ffe0b7\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22211, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022723b7324a77d5513c8e64fe321e65074717564d8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22211}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 22211 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222211\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 22211, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22211}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 22211 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002222211\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222211\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:22211\u0022, \u0022port:31384\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12815860,"ip":"80.66.66.38","ts":"2026-07-18 23:25:02.000000","proto":"tcp","src_port":65140,"dst_port":31384,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 31384, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002275c361ef3a8bdefe378dcf4e5cd4c27a27b2bea3\u0022, \u0022event_fingerprint\u0022: \u00228ee4ab58c34387c3e2f8e4983a2899256bec9c66\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 31384, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223bebf59da53cf4e4de392d93e641e2637ab97616\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 31384}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 31384 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002231384\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 31384, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 31384}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 31384 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002231384\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002231384\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12815068,"ip":"80.66.66.38","ts":"2026-07-18 23:08:16.000000","proto":"tcp","src_port":65325,"dst_port":24006,"service":"opcua-discovery","classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002248454c0046000000000000000000\u0022, \u0022emulator_response_len\u0022: 14, \u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: \u0022opcua-discovery\u0022, \u0022app_proto\u0022: \u0022opcua-discovery\u0022, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 24006, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ec0b39e3dba8d1859da6f310afaac000a8faa37b\u0022, \u0022event_fingerprint\u0022: \u0022776382ca31085959420e0e59b950a4f538d9488f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022opcua-discovery\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 24006, \u0022service\u0022: \u0022opcua-discovery\u0022, \u0022service_name\u0022: \u0022opcua-discovery\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224558338b2456db576ea90ba56d73cb6283efe53c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 24006, \u0022service\u0022: \u0022opcua-discovery\u0022, \u0022service_label_fr\u0022: \u0022OPCUA DISCOVERY\u0022}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via OPCUA DISCOVERY:24006 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002224006 \u00b7 OPCUA DISCOVERY\u0022, \u0022emulator_service\u0022: \u0022opcua-discovery\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via OPCUA DISCOVERY\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022opcua-discovery\u0022, \u0022service_label_fr\u0022: \u0022OPCUA DISCOVERY\u0022, \u0022dst_port\u0022: 24006, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OPC UA Discovery\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 24006, \u0022service\u0022: \u0022opcua-discovery\u0022, \u0022service_label_fr\u0022: \u0022OPCUA DISCOVERY\u0022}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via OPCUA DISCOVERY:24006 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002224006 \u00b7 OPCUA DISCOVERY\u0022, \u0022emulator_service\u0022: \u0022opcua-discovery\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022opcua\u0022, \u0022service_banner\u0022: \u0022OPC UA Discovery\u0022, \u0022service_os\u0022: \u0022plc\u0022, \u0022dst_port\u0022: \u002224006\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_opcua_probe\u0022, \u0022opcua_discovery_emulated\u0022, \u0022opcua_discovery_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_opcua_probe\u0022, \u0022opcua_discovery_emulated\u0022, \u0022opcua_discovery_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":47},{"id":12814766,"ip":"80.66.66.38","ts":"2026-07-18 23:02:18.000000","proto":"tcp","src_port":64364,"dst_port":13389,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 13389, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022db4be93ce4d84b1ce0199eb582b291738f541720\u0022, \u0022event_fingerprint\u0022: \u002270f255547d5c30e9359acb13e173f226c0d11c57\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 13389, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226ab9dd461dbc9e68f76955ff171cb617d63c2dda\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 13389}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 13389 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002213389\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 13389, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 13389}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 13389 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002213389\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002213389\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:13389\u0022, \u0022port:23004\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12814616,"ip":"80.66.66.38","ts":"2026-07-18 22:58:04.000000","proto":"tcp","src_port":65406,"dst_port":23004,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 23004, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a99f744ba6cf4d8470cea67e5b10aabcb5428a4d\u0022, \u0022event_fingerprint\u0022: \u0022178b0f29d0a55a433ffb264b047b8d6769c08d19\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 23004, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fecc98992df25653eac2579b3c6099a5517a5c30\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 23004}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 23004 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002223004\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 23004, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 23004}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 23004 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002223004\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002223004\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12813219,"ip":"80.66.66.38","ts":"2026-07-18 22:34:21.000000","proto":"tcp","src_port":63407,"dst_port":22020,"service":null,"classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 22020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221c19a509135fc02f62fbdc0391d163333ddf978d\u0022, \u0022event_fingerprint\u0022: \u002271ecf3ce0ea49f34ebe95f33770173562821583e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22020, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226d76e84707d9247b48bed18646d3ae9df3b25e10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22020}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 port 22020 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u002222020\u0022, \u0022confidence_reason\u0022: \u0022Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (3 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 22020, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22020}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 port 22020 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002222020\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022port:11386\u0022, \u0022port:22020\u0022, \u0022port:33013\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12813200,"ip":"80.66.66.38","ts":"2026-07-18 22:34:08.000000","proto":"tcp","src_port":64157,"dst_port":33013,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 33013, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eb81c0d1f1c1555e6ec5315bae312534760e4854\u0022, \u0022event_fingerprint\u0022: \u00222e5f55c326985f050bd6df5f6f49294e4e402a15\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 33013, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221d8d06ab825afa85864ac5611676638ecae3b3e3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 33013}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 33013 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002233013\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 33013, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 33013}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 33013 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002233013\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002233013\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:11386\u0022, \u0022port:33013\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12813181,"ip":"80.66.66.38","ts":"2026-07-18 22:33:36.000000","proto":"tcp","src_port":65086,"dst_port":11386,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 11386, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022975c6aa21a3bfc16fec411a95a2297a7bcf0ecd4\u0022, \u0022event_fingerprint\u0022: \u0022001326dfb54a33174a264e50c2ebca749a25eee2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 11386, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223c7e1d4b39b46d552cc4931327147cce720c8e73\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 11386}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 11386 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002211386\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 11386, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 11386}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 11386 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002211386\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211386\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12811338,"ip":"80.66.66.38","ts":"2026-07-18 21:43:30.000000","proto":"tcp","src_port":65098,"dst_port":6013,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 6013, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022516eff2eae6f9071d3f901d0fc10dcdcb5e5216e\u0022, \u0022event_fingerprint\u0022: \u0022dae43f440c3ade3b0cf8f1fdd81c528dc6b7bc5f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6013, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002271a0316aa3fa22d1212596708bfd126559415e76\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 6013}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 6013 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226013\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (4 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 6013, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 6013}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 6013 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00226013\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226013\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 4, \u0022multi_protocol_sample\u0022: [\u0022port:28005\u0022, \u0022port:28009\u0022, \u0022port:4021\u0022, \u0022port:6013\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12811329,"ip":"80.66.66.38","ts":"2026-07-18 21:43:18.000000","proto":"tcp","src_port":64215,"dst_port":4021,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 4021, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022863d48cc31cf9dfcf44c2791935c6542a4b9d0d3\u0022, \u0022event_fingerprint\u0022: \u0022e181737c82ad516c44dfe2aea841f62207b85e9e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4021, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223e7a7c6578c931876b24d0b0d2671863794ed4de\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4021}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 4021 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224021\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (3 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 4021, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4021}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 4021 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00224021\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224021\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022port:28005\u0022, \u0022port:28009\u0022, \u0022port:4021\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12811188,"ip":"80.66.66.38","ts":"2026-07-18 21:40:47.000000","proto":"tcp","src_port":65152,"dst_port":28009,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 28009, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022871bea969e610b0d65e752b2e8fbead3234d1534\u0022, \u0022event_fingerprint\u0022: \u0022326633d4b5a2c237538db5e6c0d01e296ebb55bf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 28009, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002290ede3d762670096e90909f1bc7ed2f608ac1ec5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 28009}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 28009 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002228009\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 28009, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 28009}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 28009 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002228009\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002228009\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:28005\u0022, \u0022port:28009\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12811068,"ip":"80.66.66.38","ts":"2026-07-18 21:39:11.000000","proto":"tcp","src_port":63104,"dst_port":28005,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 28005, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dfa9c925ba576d58b1e988d3af14a6c688c5d841\u0022, \u0022event_fingerprint\u0022: \u0022271c1cb85a1cf10fee8a298b74dbc46c9630b2f2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 28005, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e58e40b1e0ff7a9a3d64a8b84263f778496d4354\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 28005}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 28005 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002228005\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 28005, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 28005}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 28005 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002228005\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002228005\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12810140,"ip":"80.66.66.38","ts":"2026-07-18 21:24:14.000000","proto":"tcp","src_port":63767,"dst_port":6011,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 6011, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002272c8e2c08486e7d5ea70b35f4b06646f7ba10cb2\u0022, \u0022event_fingerprint\u0022: \u002271fe5749a19ccfaf8321f0a529367a742af85fe2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6011, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227429c598328a82830c02ee795d5a472df25b9e55\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 6011}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 6011 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226011\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 6011, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 6011}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 6011 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00226011\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226011\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:13391\u0022, \u0022port:6011\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12810009,"ip":"80.66.66.38","ts":"2026-07-18 21:22:01.000000","proto":"tcp","src_port":64217,"dst_port":13391,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 13391, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022925063cdaa4f4a2a7495bcd5d10b45474b4979e2\u0022, \u0022event_fingerprint\u0022: \u0022cf5765db44710740c838c009abe93a2a95fc65cf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 13391, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224c91b13af1e3357854a8f57b311e93ee8f59fda6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 13391}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 13391 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002213391\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 13391, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 13391}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 13391 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002213391\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002213391\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12809466,"ip":"80.66.66.38","ts":"2026-07-18 21:13:04.000000","proto":"tcp","src_port":63437,"dst_port":5515,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5515, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bc56bea35551c3c01f58df2550f3f6f7388af8a0\u0022, \u0022event_fingerprint\u0022: \u0022f08c387dc89092d87e227bd4d15b3ee58dd8b1bb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5515, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002252d34d26a75bf6e3d7f67a76222020c53fd66298\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5515}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 5515 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225515\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 5515, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5515}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 5515 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00225515\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225515\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12808399,"ip":"80.66.66.38","ts":"2026-07-18 20:55:09.000000","proto":"tcp","src_port":64767,"dst_port":31399,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 31399, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002201ee6145d82e7a4e264de936732d8530219878ad\u0022, \u0022event_fingerprint\u0022: \u0022a6f458816ea59d717b4858db41cfc773203bfbfa\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 31399, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228d7ee63fd13981ca80ca4d5363879f4e26d64823\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 31399}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 31399 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002231399\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 31399, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 31399}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 31399 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002231399\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002231399\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12807681,"ip":"80.66.66.38","ts":"2026-07-18 20:41:38.000000","proto":"tcp","src_port":63393,"dst_port":4039,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 4039, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228dc8fbbb051c7b13e736353e503c3d4072649a11\u0022, \u0022event_fingerprint\u0022: \u00228440b70028e933378756d8b022a5275b1f1ce42c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4039, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228176fe1e0c7ba853c6c7d97b775b594246b56b59\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4039}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 4039 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224039\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 4039, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4039}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 4039 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00224039\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224039\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12807388,"ip":"80.66.66.38","ts":"2026-07-18 20:35:45.000000","proto":"tcp","src_port":63436,"dst_port":11398,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 11398, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f8c6828621640a9710514199f6f183b57002bd78\u0022, \u0022event_fingerprint\u0022: \u0022db99af3d0209322417d3ab1924583aa22d90dc78\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 11398, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022912f060a583469d4ee21e7ed673954900b769c67\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 11398}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 11398 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002211398\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 11398, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 11398}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 11398 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002211398\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211398\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12804252,"ip":"80.66.66.38","ts":"2026-07-18 19:35:29.000000","proto":"tcp","src_port":63515,"dst_port":5050,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5050, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002249aa886608fa73ba56a5de63e306ce3919a33f0f\u0022, \u0022event_fingerprint\u0022: \u0022eeb1d404915ea1c6b5b562c3d062ba95da80930b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5050, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a09c78738c35114867fb1b25362a9296aeb63a58\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5050}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 5050 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225050\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 5050, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5050}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 5050 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00225050\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12803305,"ip":"80.66.66.38","ts":"2026-07-18 19:15:37.000000","proto":"tcp","src_port":63143,"dst_port":24010,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 24010, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002243b84a497c6e422449c0afe4bb186c43931da27c\u0022, \u0022event_fingerprint\u0022: \u0022dcd3a7cb60afc51ac2a40e6e7010b568418771df\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 24010, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022df556bba90abb8cf51bf6c9d18dfdaae87e6acc9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 24010}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 24010 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002224010\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 24010, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 24010}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 24010 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002224010\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002224010\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12802327,"ip":"80.66.66.38","ts":"2026-07-18 18:59:23.000000","proto":"tcp","src_port":64700,"dst_port":16393,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 16393, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022390675290e78010b16e5d1c6c7da4854d31bef3e\u0022, \u0022event_fingerprint\u0022: \u00224bfc14ce78a7dc51bc6fcc825b8f8c2d7f4a63f9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 16393, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221e699c651069250adaa52f28afcf3d2e0650d64a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 16393}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 16393 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002216393\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 16393, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 16393}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 16393 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002216393\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002216393\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12801860,"ip":"80.66.66.38","ts":"2026-07-18 18:51:51.000000","proto":"tcp","src_port":64747,"dst_port":4012,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 4012, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225ff19136440051e06f464647445a4d6d9a305cf2\u0022, \u0022event_fingerprint\u0022: \u002231976ed0244d0c0e0e18bc60e784ff0562f226bd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4012, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002267263e272046be13a56e9ca7b8de143615709c0a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4012}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 4012 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224012\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 4012, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4012}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 4012 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00224012\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224012\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12801251,"ip":"80.66.66.38","ts":"2026-07-18 18:42:54.000000","proto":"tcp","src_port":65394,"dst_port":5002,"service":"upnp-ssl","classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742075706e705f73736c20726561647920706f72743d353030320d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: \u0022upnp-ssl\u0022, \u0022app_proto\u0022: \u0022upnp-ssl\u0022, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204de0d8d85cda006f4214bf326a098012dadb231\u0022, \u0022event_fingerprint\u0022: \u002278838bed4de0be42bda35b043c5f75aeb5745302\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022upnp-ssl\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5002, \u0022service\u0022: \u0022upnp-ssl\u0022, \u0022service_name\u0022: \u0022upnp-ssl\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f0c6a11558bc77f5e5ae4f17e9d2195a5916ada9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5002, \u0022service\u0022: \u0022upnp-ssl\u0022, \u0022service_label_fr\u0022: \u0022UPNP SSL\u0022}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via UPNP SSL:5002 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225002 \u00b7 UPNP SSL\u0022, \u0022emulator_service\u0022: \u0022upnp-ssl\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via UPNP SSL \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022upnp-ssl\u0022, \u0022service_label_fr\u0022: \u0022UPNP SSL\u0022, \u0022dst_port\u0022: 5002, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-upnp-ssl\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5002, \u0022service\u0022: \u0022upnp-ssl\u0022, \u0022service_label_fr\u0022: \u0022UPNP SSL\u0022}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via UPNP SSL:5002 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00225002 \u00b7 UPNP SSL\u0022, \u0022emulator_service\u0022: \u0022upnp-ssl\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022upnp_ssl\u0022, \u0022service_banner\u0022: \u0022honeypot-upnp-ssl\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:5035\u0022, \u0022upnp-ssl\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12800997,"ip":"80.66.66.38","ts":"2026-07-18 18:39:21.000000","proto":"tcp","src_port":64233,"dst_port":5035,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5035, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d78b067a3246e30c897eac7e0df6a3419ce2e24\u0022, \u0022event_fingerprint\u0022: \u0022de4fef3e86a6993fa2426eeb7ee36600273ed544\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5035, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221530674e96bce03a69d1de48525c6c25e82eb724\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5035}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 5035 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225035\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 5035, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5035}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 5035 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u00225035\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225035\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12800060,"ip":"80.66.66.38","ts":"2026-07-18 18:24:58.000000","proto":"tcp","src_port":63246,"dst_port":24004,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 24004, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227635f04121b1fd4b4e1dcb41256183f69b2a8ebb\u0022, \u0022event_fingerprint\u0022: \u00225258f37fa00801314bdd0c8d9793d0a9d7fb10ea\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 24004, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eb6b45d8967610382ed4ac52d10af60c661b8849\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 24004}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 24004 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002224004\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 24004, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 24004}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 24004 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002224004\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002224004\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:24004\u0022, \u0022port:31020\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12799773,"ip":"80.66.66.38","ts":"2026-07-18 18:22:15.000000","proto":"tcp","src_port":64827,"dst_port":31020,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 31020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002273bdea01334ec7dc1262411c1efdf8042ff68de0\u0022, \u0022event_fingerprint\u0022: \u00228dc2d5a75f4e6abe357214b26b9e99ad3632ff50\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 31020, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022022593bbb9bd95af7bf3f97bff8f2b9ff56d104a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 31020}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 31020 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002231020\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 31020, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 31020}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 31020 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002231020\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002231020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12798543,"ip":"80.66.66.38","ts":"2026-07-18 18:02:31.000000","proto":"tcp","src_port":65008,"dst_port":22211,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 22211, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c897e4dafada223788f275a86853d7dff23a266b\u0022, \u0022event_fingerprint\u0022: \u00229f7f366f7f4a5645984d3153492bbf0644ffe0b7\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22211, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022723b7324a77d5513c8e64fe321e65074717564d8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22211}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 22211 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222211\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 22211, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22211}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 22211 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002222211\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222211\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:22211\u0022, \u0022port:31384\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12798394,"ip":"80.66.66.38","ts":"2026-07-18 17:59:53.000000","proto":"tcp","src_port":64286,"dst_port":31384,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 31384, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002275c361ef3a8bdefe378dcf4e5cd4c27a27b2bea3\u0022, \u0022event_fingerprint\u0022: \u00228ee4ab58c34387c3e2f8e4983a2899256bec9c66\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 31384, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223bebf59da53cf4e4de392d93e641e2637ab97616\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 31384}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 31384 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002231384\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 31384, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 31384}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 31384 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002231384\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002231384\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12793724,"ip":"80.66.66.38","ts":"2026-07-18 17:38:59.000000","proto":"tcp","src_port":64681,"dst_port":24006,"service":"opcua-discovery","classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002248454c0046000000000000000000\u0022, \u0022emulator_response_len\u0022: 14, \u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: \u0022opcua-discovery\u0022, \u0022app_proto\u0022: \u0022opcua-discovery\u0022, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 24006, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ec0b39e3dba8d1859da6f310afaac000a8faa37b\u0022, \u0022event_fingerprint\u0022: \u0022776382ca31085959420e0e59b950a4f538d9488f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022opcua-discovery\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 24006, \u0022service\u0022: \u0022opcua-discovery\u0022, \u0022service_name\u0022: \u0022opcua-discovery\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224558338b2456db576ea90ba56d73cb6283efe53c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 24006, \u0022service\u0022: \u0022opcua-discovery\u0022, \u0022service_label_fr\u0022: \u0022OPCUA DISCOVERY\u0022}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via OPCUA DISCOVERY:24006 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002224006 \u00b7 OPCUA DISCOVERY\u0022, \u0022emulator_service\u0022: \u0022opcua-discovery\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via OPCUA DISCOVERY\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022opcua-discovery\u0022, \u0022service_label_fr\u0022: \u0022OPCUA DISCOVERY\u0022, \u0022dst_port\u0022: 24006, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OPC UA Discovery\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 24006, \u0022service\u0022: \u0022opcua-discovery\u0022, \u0022service_label_fr\u0022: \u0022OPCUA DISCOVERY\u0022}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via OPCUA DISCOVERY:24006 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002224006 \u00b7 OPCUA DISCOVERY\u0022, \u0022emulator_service\u0022: \u0022opcua-discovery\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022opcua\u0022, \u0022service_banner\u0022: \u0022OPC UA Discovery\u0022, \u0022service_os\u0022: \u0022plc\u0022, \u0022dst_port\u0022: \u002224006\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_opcua_probe\u0022, \u0022opcua_discovery_emulated\u0022, \u0022opcua_discovery_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_opcua_probe\u0022, \u0022opcua_discovery_emulated\u0022, \u0022opcua_discovery_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":47},{"id":12793316,"ip":"80.66.66.38","ts":"2026-07-18 17:32:08.000000","proto":"tcp","src_port":64664,"dst_port":13389,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 13389, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022db4be93ce4d84b1ce0199eb582b291738f541720\u0022, \u0022event_fingerprint\u0022: \u002270f255547d5c30e9359acb13e173f226c0d11c57\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 13389, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226ab9dd461dbc9e68f76955ff171cb617d63c2dda\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 13389}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 13389 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002213389\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 13389, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 13389}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 13389 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002213389\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002213389\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:13389\u0022, \u0022port:23004\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12793063,"ip":"80.66.66.38","ts":"2026-07-18 17:27:47.000000","proto":"tcp","src_port":65464,"dst_port":23004,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 23004, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a99f744ba6cf4d8470cea67e5b10aabcb5428a4d\u0022, \u0022event_fingerprint\u0022: \u0022178b0f29d0a55a433ffb264b047b8d6769c08d19\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 23004, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fecc98992df25653eac2579b3c6099a5517a5c30\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 23004}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 23004 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002223004\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 23004, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 23004}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 23004 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002223004\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002223004\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12792128,"ip":"80.66.66.38","ts":"2026-07-18 17:10:00.000000","proto":"tcp","src_port":63157,"dst_port":22020,"service":null,"classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 22020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221c19a509135fc02f62fbdc0391d163333ddf978d\u0022, \u0022event_fingerprint\u0022: \u002271ecf3ce0ea49f34ebe95f33770173562821583e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22020, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226d76e84707d9247b48bed18646d3ae9df3b25e10\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22020}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 port 22020 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u002222020\u0022, \u0022confidence_reason\u0022: \u0022Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (3 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 22020, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22020}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 port 22020 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002222020\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022port:11386\u0022, \u0022port:22020\u0022, \u0022port:33013\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12792117,"ip":"80.66.66.38","ts":"2026-07-18 17:09:51.000000","proto":"tcp","src_port":65524,"dst_port":33013,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 33013, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eb81c0d1f1c1555e6ec5315bae312534760e4854\u0022, \u0022event_fingerprint\u0022: \u00222e5f55c326985f050bd6df5f6f49294e4e402a15\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 33013, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221d8d06ab825afa85864ac5611676638ecae3b3e3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 33013}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 33013 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002233013\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 33013, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 33013}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 33013 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002233013\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002233013\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:11386\u0022, \u0022port:33013\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12792098,"ip":"80.66.66.38","ts":"2026-07-18 17:09:28.000000","proto":"tcp","src_port":63203,"dst_port":11386,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 11386, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022975c6aa21a3bfc16fec411a95a2297a7bcf0ecd4\u0022, \u0022event_fingerprint\u0022: \u0022001326dfb54a33174a264e50c2ebca749a25eee2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 11386, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223c7e1d4b39b46d552cc4931327147cce720c8e73\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 11386}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 11386 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002211386\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 11386, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 11386}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 11386 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002211386\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211386\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12791335,"ip":"80.66.66.38","ts":"2026-07-18 16:57:54.000000","proto":"tcp","src_port":64460,"dst_port":22008,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 22008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002227c7e69e3596a50f3ed737c7ca013db3a7e77772\u0022, \u0022event_fingerprint\u0022: \u0022e534563cb894030e13231dbbc926f3853ec1abba\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22008, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002211b3c2defeb4de875d962b2106928c57a1e139fb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22008}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 22008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222008\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 22008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22008}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 22008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002222008\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47},{"id":12790957,"ip":"80.66.66.38","ts":"2026-07-18 16:51:01.000000","proto":"tcp","src_port":63858,"dst_port":22022,"service":null,"classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 4.155132734426204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 209702, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 22022, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b9f67c724b27bd3501ae1edbe7d29a2648c0f249\u0022, \u0022event_fingerprint\u0022: \u0022fc8e747cb3c245b7535cd52d95c97c0db33b054c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP NTLM hash\u0022, \u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 209702, \u0022org\u0022: \u0022Soldatov Alexey Valerevich\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022012fca15d97ce99638a1c3f4bf953d2b\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ae085e6628a6e2d5634e3bc49a46d790fcdda5b7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22022}, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 22022 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222022\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 22022, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0347\u0022, \u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\/*\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000Cookie: mstshash=Administr\\r\\n\\u0001\\u0000\\b\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 22022}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 port 22022 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/*\ufffdCookie: mstshash=Administr\u0022, \u0022target_port_label\u0022: \u002222022\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222022\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:22022\u0022, \u0022port:30017\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":47}],"total_events":174}