{"ip":"80.87.206.168","exported_at":"2026-06-20T09:24:50+00:00","period_days":30,"metrics":{"events7d":39,"distinct_ports":24,"distinct_classifications":5,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":28,"max_risk_score":69,"attack_stage":"recon","attack_chain_stage":"reconnaissance","threat_family":["scanner"],"recommended_action":"monitor","confidence":1,"risk_breakdown":{"waf":8,"classification":64,"behavior":0,"geo":40,"protocol":33,"novelty":15},"mitre_tactics":["TA0043"],"mitre_technique":"T1046","top_mitre_technique":"T1046","top_mitre_count":21,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (12 protocoles \u00b7 5 min)","campaign_hint_fr":"Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte","confidence_breakdown":{"waf":8,"classification":64,"behavior":0,"geo":40,"protocol":33,"novelty":15,"risk_score":42,"correlation_boost":14},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["campagne_ports","multi_protocol_correlation"],"correlation_flags_labels_fr":["Campagne multi-ports","Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":100,"confidence_hint_fr":"Corr\u00e9lation +14","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["MITRE-T1046","SIGMA-net-port-scan","Beh Scan Burst","Beh Multi Port 60S"],"tags_summary":["MITRE-T1046","SIGMA-net-port-scan","INT-beh-scan-burst","INT-beh-multi-port-60s"],"attack_vector":"port scan syn \u00b7 via HTTPS:10443 \u00b7 (reconnaissance)","protocol_details":{"payload_preview":"\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0027q\u0022\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdD\u000eP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd\u0027\u000e\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000","port":10443,"service":"https","service_label_fr":"HTTPS"},"protocol_summary_fr":"Payload \u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0027q\u0022\ufffd\ufffd\ufffd)\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdD\u000eP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd\u0027\u2026 \u00b7 HTTPS:10443","evidence_snippet":"\ufffd\ufffd\u0027q\u0022\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdDP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd","target_port_label":"10443 \u00b7 HTTPS","emulator_service":"https","confidence_reason":"Confiance 100 % \u2014 3 signal(aux) capteur","classification_reason":"Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%","classification_reason_label_fr":"Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14","payload_preview":"\ufffd\ufffd\u0027q\u0022\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdDP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd"},"events":[{"id":9590813,"ip":"80.87.206.168","ts":"2026-06-18 16:17:03.000000","proto":"tcp","src_port":59518,"dst_port":10443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.928315499844018, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 10443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bf82ed4958219b6801f74213ab3f101ded76679b\u0022, \u0022event_fingerprint\u0022: \u00220ce879e35222bcf244eb8071cb051f2e9c4aa580\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002296366e6e3c6c337352f0b7c76d57575c\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\u0027q\\\u0022\ufffd\ufffd\ufffd)\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdD\\u000eP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd\u0027\\u000e\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\u0027q\\\u0022\ufffd\ufffd\ufffd)\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdD\\u000eP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd\u0027\\u000e\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 d\\u001c\ufffd\ufffd\ufffdh\\u0002\ufffd\\u0011\ufffd.\ufffde-\ufffd\ufffdb*\ufffd+\\u001e\ufffd\ufffd7\\u0018X\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\u0027q\\\u0022\ufffd\ufffd\ufffd)\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdD\\u000eP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd\u0027\\u000e\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d792bd0c07ec80982d77bee35f7aa6fa8ee1d1de\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\u0027q\\\u0022\ufffd\ufffd\ufffd)\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdD\\u000eP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd\u0027\\u000e\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 10443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u0027q\\\u0022\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdDP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTPS:10443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u002210443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (12 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 10443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\u0027q\\\u0022\ufffd\ufffd\ufffd)\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdD\\u000eP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd\u0027\\u000e\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 10443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTPS:10443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u0027q\\\u0022\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003E\ufffd\ufffd\ufffdDP\ufffd\ufffd\u07d2\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdOlg\ufffdD)\ufffd)to\ufffd1\ufffd\ufffd\ufffd\u0027\ufffd\ufffd\ufffd\u02ba\ufffd\ufffd`\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u002210443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 5, \u0022port_scan_ports_sample\u0022: [2087, 2096, 6443, 8081, 10443], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 12, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022cpanel-ssl\u0022, \u0022cpanel-whm\u0022, \u0022http\u0022, \u0022http-alt-8081\u0022, \u0022https\u0022, \u0022k8s-api\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022net_web_probe\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022net_web_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":261},{"id":9590798,"ip":"80.87.206.168","ts":"2026-06-18 16:16:51.000000","proto":"tcp","src_port":36496,"dst_port":6443,"service":"k8s-api","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002215030300020228\u0022, \u0022emulator_response_len\u0022: 7, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.907300195817607, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225f70a73a5934201c2e00970f23615f0b69d2ca8a\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229c42012187c07f389cacfea5e514227f\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffd\\u0019A\ufffd\ufffdb\ufffdlBz(\\u001fb\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\\u001f\ufffd;nP{\\\u0022\ufffd\ufffd\/\ufffd\ufffd\\u0003\ufffd\u00ea\\u0013N\\u001b\\u0010h\\fsr\u075c4\\u0004l\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffd\\u0019A\ufffd\ufffdb\ufffdlBz(\\u001fb\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\\u001f\ufffd;nP{\\\u0022\ufffd\ufffd\/\ufffd\ufffd\\u0003\ufffd\u00ea\\u0013N\\u001b\\u0010h\\fsr\u075c4\\u0004l\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\ufffdIC\ufffd\ufffd\ufffdw\ufffd\ufffdI\ufffd\\u000bF\ufffd\\u0010\ufffdw\u01a0\ufffd\ufffd~\\u001b\ufffd\ufffd\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffd\\u0019A\ufffd\ufffdb\ufffdlBz(\\u001fb\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\\u001f\ufffd;nP{\\\u0022\ufffd\ufffd\/\ufffd\ufffd\\u0003\ufffd\u00ea\\u0013N\\u001b\\u0010h\\fsr\u075c4\\u0004l\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002227aaff474890083e67a757dfce6664d270666f20\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffd\\u0019A\ufffd\ufffdb\ufffdlBz(\\u001fb\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\\u001f\ufffd;nP{\\\u0022\ufffd\ufffd\/\ufffd\ufffd\\u0003\ufffd\u00ea\\u0013N\\u001b\\u0010h\\fsr\u075c4\\u0004l\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffdA\ufffd\ufffdb\ufffdlBz(b\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\ufffd;nP{\\\u0022\ufffd\ufffd\/\ufffd\ufffd\ufffd\u00eaNhsr\u075c4l\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (12 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffd\\u0019A\ufffd\ufffdb\ufffdlBz(\\u001fb\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\\u001f\ufffd;nP{\\\u0022\ufffd\ufffd\/\ufffd\ufffd\\u0003\ufffd\u00ea\\u0013N\\u001b\\u0010h\\fsr\u075c4\\u0004l\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffda\ufffd[\u0463\ufffdU\ufffdA\ufffd\ufffdb\ufffdlBz(b\ufffd+}\udb1a\udf31\ufffd\ufffd^ \ufffd\ufffd\ufffd;nP{\\\u0022\ufffd\ufffd\/\ufffd\ufffd\ufffd\u00eaNhsr\u075c4l\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 5, \u0022port_scan_ports_sample\u0022: [2083, 2087, 2096, 6443, 8081], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 12, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022cpanel-ssl\u0022, \u0022cpanel-whm\u0022, \u0022http\u0022, \u0022http-alt-8081\u0022, \u0022https\u0022, \u0022k8s-api\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_kubernetes_probe\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022net_kubernetes_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":6,"bytes_in":261},{"id":9590787,"ip":"80.87.206.168","ts":"2026-06-18 16:16:39.000000","proto":"tcp","src_port":44608,"dst_port":2096,"service":"tls","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00227c1e207beb00684bbbe144f1b0abe1d5\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022tls_alpn\u0022: [\u0022h2\u0022, \u0022http\/1.1\u0022], \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.838062849031519, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 2096, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022034adfd45be9e71e735b20823d30b888ab377efc\u0022, \u0022event_fingerprint\u0022: \u00227b1496833d082bfb3e405ae43288c139caf2bde9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00227c1e207beb00684bbbe144f1b0abe1d5\u0022, \u0022payload_hash\u0022: \u00220a0301084513022b2e9193059a4965f6\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2096, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003Z\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z\\u001b1,\\u001f\ufffd\\b\ufffd[\\u0007$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@\\u0012%sAEt\\t`\u003E\ufffd\ufffd\ufffd\ufffd\\r\ufffdoE \ufffdT\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003Z\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z\\u001b1,\\u001f\ufffd\\b\ufffd[\\u0007$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@\\u0012%sAEt\\t`\u003E\ufffd\ufffd\ufffd\ufffd\\r\ufffdoE \ufffdT\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 ,\ufffd#Q\ufffd\ufffd\ufffd\ufffd\\u001bV\\r5\u0027j|\ufffd\ufffd\ufffdi[\\u0004m,;\ufffdfe\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003Z\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z\\u001b1,\\u001f\ufffd\\b\ufffd[\\u0007$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@\\u0012%sAEt\\t`\u003E\ufffd\ufffd\ufffd\ufffd\\r\ufffdoE \ufffdT\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e678f1324aa0f3f3ee444898728eb59f77a9e188\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003Z\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z\\u001b1,\\u001f\ufffd\\b\ufffd[\\u0007$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@\\u0012%sAEt\\t`\u003E\ufffd\ufffd\ufffd\ufffd\\r\ufffdoE \ufffdT\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u00227c1e207beb00684bbbe144f1b0abe1d5\u0022, \u0022port\u0022: 2096, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdZ\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z1,\ufffd\ufffd[$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@%sAEt\\t`\u003E\ufffd\ufffd\ufffd\ufffd\\r\ufffdoE \ufffdT\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via TLS:2096 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00222096 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (11 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 2096, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003Z\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z\\u001b1,\\u001f\ufffd\\b\ufffd[\\u0007$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@\\u0012%sAEt\\t`\u003E\ufffd\ufffd\ufffd\ufffd\\r\ufffdoE \ufffdT\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u00227c1e207beb00684bbbe144f1b0abe1d5\u0022, \u0022port\u0022: 2096, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via TLS:2096 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdZ\ufffd[A\u0335G\ufffd\ufffd\u06777\u0353Z1,\ufffd\ufffd[$g\ufffd\ufffdeD\ufffd dQ\ufffdI\ufffd\ufffds\ufffd-@%sAEt\\t`\u003E\ufffd\ufffd\ufffd\ufffd\\r\ufffdoE \ufffdT\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00222096 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222096\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 4, \u0022port_scan_ports_sample\u0022: [2083, 2087, 2096, 8081], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 11, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022cpanel-ssl\u0022, \u0022cpanel-whm\u0022, \u0022http\u0022, \u0022http-alt-8081\u0022, \u0022https\u0022, \u0022kdm\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"7c1e207beb00684bbbe144f1b0abe1d5","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-16-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":261},{"id":9590776,"ip":"80.87.206.168","ts":"2026-06-18 16:16:27.000000","proto":"tcp","src_port":40374,"dst_port":8081,"service":"http-alt-8081","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.875202670922491, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022http-alt-8081\u0022, \u0022app_proto\u0022: \u0022http-alt-8081\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022929e68b705f9838a7da7b1cddb73ebe75654e59f\u0022, \u0022event_fingerprint\u0022: \u00221023f61ccc055c445b71c912dbddfda91b08657e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http-alt-8081\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226e38891a7f116e809c951d8ed649ee87\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http-alt-8081\u0022, \u0022service_name\u0022: \u0022http-alt-8081\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0012\\u0018g2c\\u001aM:\ufffd\\u001e\ufffd\ufffd]\\nx\ufffd:m\ufffd;9dp5@l\ufffd\\u001e\ufffd\ufffdW\ufffd \u0285P2\ufffd\\u001803\ufffdQ\u003E\u0308\\u0004L\ufffd\ufffd\ufffd\ufffdp\ufffd`\\u0012O{=Z\\u0007r\ufffd:-\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0012\\u0018g2c\\u001aM:\ufffd\\u001e\ufffd\ufffd]\\nx\ufffd:m\ufffd;9dp5@l\ufffd\\u001e\ufffd\ufffdW\ufffd \u0285P2\ufffd\\u001803\ufffdQ\u003E\u0308\\u0004L\ufffd\ufffd\ufffd\ufffdp\ufffd`\\u0012O{=Z\\u0007r\ufffd:-\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdE*\ufffd\ufffdS\ufffd\\u0007E\\n^8\ufffdP\\u0007\ufffdY\\u0018\ufffd\\u000f\ufffd\ufffdt\ufffd-\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0012\\u0018g2c\\u001aM:\ufffd\\u001e\ufffd\ufffd]\\nx\ufffd:m\ufffd;9dp5@l\ufffd\\u001e\ufffd\ufffdW\ufffd \u0285P2\ufffd\\u001803\ufffdQ\u003E\u0308\\u0004L\ufffd\ufffd\ufffd\ufffdp\ufffd`\\u0012O{=Z\\u0007r\ufffd:-\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224d72a238f262a001b99f193fb2c7adf0bfd30cda\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0012\\u0018g2c\\u001aM:\ufffd\\u001e\ufffd\ufffd]\\nx\ufffd:m\ufffd;9dp5@l\ufffd\\u001e\ufffd\ufffdW\ufffd \u0285P2\ufffd\\u001803\ufffdQ\u003E\u0308\\u0004L\ufffd\ufffd\ufffd\ufffdp\ufffd`\\u0012O{=Z\\u0007r\ufffd:-\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http-alt-8081\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8081\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdg2cM:\ufffd\ufffd\ufffd]\\nx\ufffd:m\ufffd;9dp5@l\ufffd\ufffd\ufffdW\ufffd \u0285P2\ufffd03\ufffdQ\u003E\u0308L\ufffd\ufffd\ufffd\ufffdp\ufffd`O{=Zr\ufffd:-\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP ALT 8081\u0022, \u0022emulator_service\u0022: \u0022http-alt-8081\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8081 \u2014 multi-protocole (10 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http-alt-8081\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8081\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http-alt-8081\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0012\\u0018g2c\\u001aM:\ufffd\\u001e\ufffd\ufffd]\\nx\ufffd:m\ufffd;9dp5@l\ufffd\\u001e\ufffd\ufffdW\ufffd \u0285P2\ufffd\\u001803\ufffdQ\u003E\u0308\\u0004L\ufffd\ufffd\ufffd\ufffdp\ufffd`\\u0012O{=Z\\u0007r\ufffd:-\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http-alt-8081\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8081\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdg2cM:\ufffd\ufffd\ufffd]\\nx\ufffd:m\ufffd;9dp5@l\ufffd\ufffd\ufffdW\ufffd \u0285P2\ufffd03\ufffdQ\u003E\u0308L\ufffd\ufffd\ufffd\ufffdp\ufffd`O{=Zr\ufffd:-\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP ALT 8081\u0022, \u0022emulator_service\u0022: \u0022http-alt-8081\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http_alt_8081\u0022, \u0022service_banner\u0022: \u0022honeypot-http-alt-8081\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 4, \u0022port_scan_ports_sample\u0022: [2083, 2087, 8080, 8081], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 10, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022cpanel-ssl\u0022, \u0022cpanel-whm\u0022, \u0022http\u0022, \u0022http-alt-8081\u0022, \u0022https\u0022, \u0022kdm\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":261},{"id":9590767,"ip":"80.87.206.168","ts":"2026-06-18 16:16:15.000000","proto":"tcp","src_port":56448,"dst_port":2087,"service":"cpanel-whm","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e\u0022, \u0022emulator_response_len\u0022: 125, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.861017838574273, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022cpanel-whm\u0022, \u0022app_proto\u0022: \u0022cpanel-whm\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 2087, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002251584d32aeb6bcba72953119cc78a0e0836a8f64\u0022, \u0022event_fingerprint\u0022: \u0022bd94c1be47794e5b05816ea1bc287e14296ba082\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022cpanel-whm\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225751c075db09a6b139a586111608757c\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2087, \u0022service\u0022: \u0022cpanel-whm\u0022, \u0022service_name\u0022: \u0022cpanel-whm\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\/\u065f\ufffd(\ufffd\u0259\ufffd\\u000f6|\ufffd\ufffdyj\\b\ufffd\ufffdy`\ufffd\ufffd\ufffdp\\u0012\\f\\u0000c\\n\ufffd\ufffd C\ufffd\ufffd\\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\r\ufffd\ufffd\\u001fU\ufffd\\u000fj\ufffd\\u0003\ufffd\ufffd\u028d\ufffdk\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\/\u065f\ufffd(\ufffd\u0259\ufffd\\u000f6|\ufffd\ufffdyj\\b\ufffd\ufffdy`\ufffd\ufffd\ufffdp\\u0012\\f\\u0000c\\n\ufffd\ufffd C\ufffd\ufffd\\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\r\ufffd\ufffd\\u001fU\ufffd\\u000fj\ufffd\\u0003\ufffd\ufffd\u028d\ufffdk\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 wK\\u001d\ufffd\ufffdy\ufffd\ufffdIHB\\u0012q\\u001d\ufffd\u003E\ufffd\\u0007n\ufffd\ufffd=w\ufffd\ufffdob\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\/\u065f\ufffd(\ufffd\u0259\ufffd\\u000f6|\ufffd\ufffdyj\\b\ufffd\ufffdy`\ufffd\ufffd\ufffdp\\u0012\\f\\u0000c\\n\ufffd\ufffd C\ufffd\ufffd\\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\r\ufffd\ufffd\\u001fU\ufffd\\u000fj\ufffd\\u0003\ufffd\ufffd\u028d\ufffdk\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d94745a637ea3108c1cb219caae1f03c1ffed2b7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\/\u065f\ufffd(\ufffd\u0259\ufffd\\u000f6|\ufffd\ufffdyj\\b\ufffd\ufffdy`\ufffd\ufffd\ufffdp\\u0012\\f\\u0000c\\n\ufffd\ufffd C\ufffd\ufffd\\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\r\ufffd\ufffd\\u001fU\ufffd\\u000fj\ufffd\\u0003\ufffd\ufffd\u028d\ufffdk\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 2087, \u0022service\u0022: \u0022cpanel-whm\u0022, \u0022service_label_fr\u0022: \u0022CPANEL WHM\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\/\u065f\ufffd(\ufffd\u0259\ufffd6|\ufffd\ufffdyj\ufffd\ufffdy`\ufffd\ufffd\ufffdpc\\n\ufffd\ufffd C\ufffd\ufffd\\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\r\ufffd\ufffdU\ufffdj\ufffd\ufffd\ufffd\u028d\ufffdk\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00222087 \u00b7 CPANEL WHM\u0022, \u0022emulator_service\u0022: \u0022cpanel-whm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CPANEL WHM \u2014 multi-protocole (9 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022cpanel-whm\u0022, \u0022service_label_fr\u0022: \u0022CPANEL WHM\u0022, \u0022dst_port\u0022: 2087, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-cpanel-whm\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\/\u065f\ufffd(\ufffd\u0259\ufffd\\u000f6|\ufffd\ufffdyj\\b\ufffd\ufffdy`\ufffd\ufffd\ufffdp\\u0012\\f\\u0000c\\n\ufffd\ufffd C\ufffd\ufffd\\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\r\ufffd\ufffd\\u001fU\ufffd\\u000fj\ufffd\\u0003\ufffd\ufffd\u028d\ufffdk\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 2087, \u0022service\u0022: \u0022cpanel-whm\u0022, \u0022service_label_fr\u0022: \u0022CPANEL WHM\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\/\u065f\ufffd(\ufffd\u0259\ufffd6|\ufffd\ufffdyj\ufffd\ufffdy`\ufffd\ufffd\ufffdpc\\n\ufffd\ufffd C\ufffd\ufffd\\nI\ufffdp\ufffd*4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\r\ufffd\ufffdU\ufffdj\ufffd\ufffd\ufffd\u028d\ufffdk\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00222087 \u00b7 CPANEL WHM\u0022, \u0022emulator_service\u0022: \u0022cpanel-whm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022cpanel_whm\u0022, \u0022service_banner\u0022: \u0022honeypot-cpanel-whm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222087\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 4, \u0022port_scan_ports_sample\u0022: [2083, 2087, 8080, 9443], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 9, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022cpanel-ssl\u0022, \u0022cpanel-whm\u0022, \u0022http\u0022, \u0022https\u0022, \u0022kdm\u0022, \u0022quic-http3-stub\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022cpanel_whm_emulated\u0022, \u0022cpanel_whm_payload\u0022, \u0022net_cpanel_probe\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022cpanel_whm_emulated\u0022, \u0022cpanel_whm_payload\u0022, \u0022net_cpanel_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":261},{"id":9590760,"ip":"80.87.206.168","ts":"2026-06-18 16:16:03.000000","proto":"tcp","src_port":37274,"dst_port":2083,"service":"cpanel-ssl","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e\u0022, \u0022emulator_response_len\u0022: 125, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.933219924045358, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022cpanel-ssl\u0022, \u0022app_proto\u0022: \u0022cpanel-ssl\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 2083, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224cc54c7fcd5f1e5ebb94393f5b67f30e90170090\u0022, \u0022event_fingerprint\u0022: \u002280d2812b66b9080b0842670f25ce9d4d3386dae1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022cpanel-ssl\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c15efe199fbbd0c10b30123c9881afef\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2083, \u0022service\u0022: \u0022cpanel-ssl\u0022, \u0022service_name\u0022: \u0022cpanel-ssl\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdu\ufffd\\u001a\u003E3\\u001bz\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\\u0011\ufffd\u05094\ufffd\ufffd\\u001f\\u0005\\u0010 \\u000f\ufffd\ufffda\/\ufffd\\u001f\ufffdC\\u0005\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\\n\ufffd\ufffd\ufffdJAR!\ufffd\\u0005\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdu\ufffd\\u001a\u003E3\\u001bz\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\\u0011\ufffd\u05094\ufffd\ufffd\\u001f\\u0005\\u0010 \\u000f\ufffd\ufffda\/\ufffd\\u001f\ufffdC\\u0005\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\\n\ufffd\ufffd\ufffdJAR!\ufffd\\u0005\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \\u001e\\u0004Pir\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd%|\\u000b\ufffdO^$\\u0002\ufffdN\ufffd\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdu\ufffd\\u001a\u003E3\\u001bz\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\\u0011\ufffd\u05094\ufffd\ufffd\\u001f\\u0005\\u0010 \\u000f\ufffd\ufffda\/\ufffd\\u001f\ufffdC\\u0005\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\\n\ufffd\ufffd\ufffdJAR!\ufffd\\u0005\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aed78668124dd392b85ab7b1cdcc577dcd520d64\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdu\ufffd\\u001a\u003E3\\u001bz\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\\u0011\ufffd\u05094\ufffd\ufffd\\u001f\\u0005\\u0010 \\u000f\ufffd\ufffda\/\ufffd\\u001f\ufffdC\\u0005\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\\n\ufffd\ufffd\ufffdJAR!\ufffd\\u0005\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 2083, \u0022service\u0022: \u0022cpanel-ssl\u0022, \u0022service_label_fr\u0022: \u0022CPANEL SSL\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdu\ufffd\u003E3z\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\ufffd\u05094\ufffd\ufffd \ufffd\ufffda\/\ufffd\ufffdC\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\\n\ufffd\ufffd\ufffdJAR!\ufffd\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via CPANEL SSL:2083 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00222083 \u00b7 CPANEL SSL\u0022, \u0022emulator_service\u0022: \u0022cpanel-ssl\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CPANEL SSL \u2014 multi-protocole (8 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022cpanel-ssl\u0022, \u0022service_label_fr\u0022: \u0022CPANEL SSL\u0022, \u0022dst_port\u0022: 2083, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-cpanel-ssl\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdu\ufffd\\u001a\u003E3\\u001bz\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\\u0011\ufffd\u05094\ufffd\ufffd\\u001f\\u0005\\u0010 \\u000f\ufffd\ufffda\/\ufffd\\u001f\ufffdC\\u0005\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\\n\ufffd\ufffd\ufffdJAR!\ufffd\\u0005\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 2083, \u0022service\u0022: \u0022cpanel-ssl\u0022, \u0022service_label_fr\u0022: \u0022CPANEL SSL\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via CPANEL SSL:2083 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdu\ufffd\u003E3z\u00c5}7L\ufffd\ufffd\ufffd\/\ufffd{\ufffd8\ufffd\u05094\ufffd\ufffd \ufffd\ufffda\/\ufffd\ufffdC\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\\n\ufffd\ufffd\ufffdJAR!\ufffd\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00222083 \u00b7 CPANEL SSL\u0022, \u0022emulator_service\u0022: \u0022cpanel-ssl\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022cpanel_ssl\u0022, \u0022service_banner\u0022: \u0022honeypot-cpanel-ssl\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222083\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 4, \u0022port_scan_ports_sample\u0022: [2083, 4433, 8080, 9443], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 8, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022cpanel-ssl\u0022, \u0022http\u0022, \u0022https\u0022, \u0022kdm\u0022, \u0022quic-http3-stub\u0022, \u0022upnp-tcp\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022cpanel_ssl_emulated\u0022, \u0022net_cpanel_probe\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022cpanel_ssl_emulated\u0022, \u0022net_cpanel_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":261},{"id":9590746,"ip":"80.87.206.168","ts":"2026-06-18 16:15:39.000000","proto":"tcp","src_port":50874,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":7,"waf_tags":"[\u0022950324:rce-0\u0022]","http_method":"\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\u0003\u0003","http_target":"k\u0490[\u003COE|","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022680da6bbe992cf3eaa4ab1e1e90c2898686a6bd1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\\u0003\\u0003\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.914314436205332, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 36.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 36.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f074606b922ffbc0a44e87add047c495b93d5345\u0022, \u0022event_fingerprint\u0022: \u00225002f86640b9f6ff5703b8dbef54100928abb241\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 36.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221aa4ca315416e4fef96b91b4ce8f8772\u0022, \u0022path_pattern_hash\u0022: \u002272708bc98a2574405e31ac171b5dcddb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022method\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\\u0003\\u0003\u0022, \u0022path\u0022: \u0022k\u0490[\u003COE|\u0022, \u0022waf_tags\u0022: [\u0022950324:rce-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022], \u0022request_line\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\\u0003\\u0003 k\u0490[\u003COE| HTTP\/1.1\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003 k\ufffd\ufffd\ufffd\ufffd\u0490[\u003C\ufffd\ufffdO\ufffdE|\ufffd\\u000b\ufffdL7V\ufffdHP\ufffd\\u0002v\ufffd\ufffd\ufffd{ \ufffd*-\ufffdX\ufffd\ufffd\ufffd\ufffd\\u0019\ufffd\\u001a\u0512X\\u0017\ufffd \ufffde\u003E\ufffd\\u0007Fw\\u001a3\ufffdg\ufffd[2\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\\u0003\\u0003\u0022, \u0022path\u0022: \u0022k\u0490[\u003COE|\u0022, \u0022waf_tags\u0022: [\u0022950324:rce-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022], \u0022request_line\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\\u0003\\u0003 k\u0490[\u003COE| HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003 k\ufffd\ufffd\ufffd\ufffd\u0490[\u003C\ufffd\ufffdO\ufffdE|\ufffd\\u000b\ufffdL7V\ufffdHP\ufffd\\u0002v\ufffd\ufffd\ufffd{ \ufffd*-\ufffdX\ufffd\ufffd\ufffd\ufffd\\u0019\ufffd\\u001a\u0512X\\u0017\ufffd \ufffde\u003E\ufffd\\u0007Fw\\u001a3\ufffdg\ufffd[2\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \\u000br\ufffd\ufffd\ufffd\ufffd9$V\ufffd\ufffd\ufffd\ufffd\\u0010\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffdJ\ufffd\\u0011\\u0016\\n\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003 k\ufffd\ufffd\ufffd\ufffd\u0490[\u003C\ufffd\ufffdO\ufffdE|\ufffd\\u000b\ufffdL7V\ufffdHP\ufffd\\u0002v\ufffd\ufffd\ufffd{ \ufffd*-\ufffdX\ufffd\ufffd\ufffd\ufffd\\u0019\ufffd\\u001a\u0512X\\u0017\ufffd \ufffde\u003E\ufffd\\u0007Fw\\u001a3\ufffdg\ufffd[2\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022116e44956ecadb251af94d73b6951190dd7b0aee\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\\u0003\\u0003\u0022, \u0022http_path\u0022: \u0022k\u0490[\u003COE|\u0022, \u0022request_line\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\\u0003\\u0003 k\u0490[\u003COE| HTTP\/1.1\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd k\ufffd\ufffd\ufffd\ufffd\u0490[\u003C\ufffd\ufffdO\ufffdE|\ufffd\ufffdL7V\ufffdHP\ufffdv\ufffd\ufffd\ufffd{ \ufffd*-\ufffdX\ufffd\ufffd\ufffd\ufffd\ufffd\u0512X\ufffd \ufffde\u003E\ufffdFw3\ufffdg\ufffd[2\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 k\u0490[\u003COE|\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (7 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 36.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\\u0003\\u0003\u0022, \u0022http_path\u0022: \u0022k\u0490[\u003COE|\u0022, \u0022request_line\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\\u0003\\u0003 k\u0490[\u003COE| HTTP\/1.1\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 k\u0490[\u003COE|\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd k\ufffd\ufffd\ufffd\ufffd\u0490[\u003C\ufffd\ufffdO\ufffdE|\ufffd\ufffdL7V\ufffdHP\ufffdv\ufffd\ufffd\ufffd{ \ufffd*-\ufffdX\ufffd\ufffd\ufffd\ufffd\ufffd\u0512X\ufffd \ufffde\u003E\ufffdFw3\ufffdg\ufffd[2\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 36 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 7, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022http\u0022, \u0022https\u0022, \u0022kdm\u0022, \u0022quic-http3-stub\u0022, \u0022upnp-tcp\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950324:rce-0\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"L7VHP\u0002v{","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022950324:rce-0\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":261},{"id":9590708,"ip":"80.87.206.168","ts":"2026-06-18 16:15:15.000000","proto":"tcp","src_port":36762,"dst_port":9443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.834581559131824, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f2969b3a7d1c31616fffb40602d4e6e3999b3dc2\u0022, \u0022event_fingerprint\u0022: \u00225b8d9bc7bcb6d0b9bee3faac4a80649a400d4176\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022, \u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022, \u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022, \u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022db547feb1359077cabca99346e0dee31\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdv\ufffdB\ufffdz\\u000bOg\ufffd;V0\ufffdP\u0027\ufffd+\ufffd\ufffd#k]\ufffd\\u00057\ufffd\u05ea\ufffd4 \ufffd\\u001e\ufffd\\u0011\ufffd.\\u000f~8\ufffdc\ufffd\\b\\u00145t\\u0005\ufffdPY\\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdv\ufffdB\ufffdz\\u000bOg\ufffd;V0\ufffdP\u0027\ufffd+\ufffd\ufffd#k]\ufffd\\u00057\ufffd\u05ea\ufffd4 \ufffd\\u001e\ufffd\\u0011\ufffd.\\u000f~8\ufffdc\ufffd\\b\\u00145t\\u0005\ufffdPY\\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdg\ufffd\ufffd\ufffd\\t\\u0016\\r^X6t\ufffd\ufffd\\f\ufffdT\ufffd\ufffd\ufffdH\u0768\ufffd\ufffd\ufffdP\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdv\ufffdB\ufffdz\\u000bOg\ufffd;V0\ufffdP\u0027\ufffd+\ufffd\ufffd#k]\ufffd\\u00057\ufffd\u05ea\ufffd4 \ufffd\\u001e\ufffd\\u0011\ufffd.\\u000f~8\ufffdc\ufffd\\b\\u00145t\\u0005\ufffdPY\\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002281bc211f0d48214fac77c22561b8972f55745e07\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdv\ufffdB\ufffdz\\u000bOg\ufffd;V0\ufffdP\u0027\ufffd+\ufffd\ufffd#k]\ufffd\\u00057\ufffd\u05ea\ufffd4 \ufffd\\u001e\ufffd\\u0011\ufffd.\\u000f~8\ufffdc\ufffd\\b\\u00145t\\u0005\ufffdPY\\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdv\ufffdB\ufffdzOg\ufffd;V0\ufffdP\u0027\ufffd+\ufffd\ufffd#k]\ufffd7\ufffd\u05ea\ufffd4 \ufffd\ufffd\ufffd.~8\ufffdc\ufffd5t\ufffdPY\\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (7 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdv\ufffdB\ufffdz\\u000bOg\ufffd;V0\ufffdP\u0027\ufffd+\ufffd\ufffd#k]\ufffd\\u00057\ufffd\u05ea\ufffd4 \ufffd\\u001e\ufffd\\u0011\ufffd.\\u000f~8\ufffdc\ufffd\\b\\u00145t\\u0005\ufffdPY\\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdv\ufffdB\ufffdzOg\ufffd;V0\ufffdP\u0027\ufffd+\ufffd\ufffd#k]\ufffd7\ufffd\u05ea\ufffd4 \ufffd\ufffd\ufffd.~8\ufffdc\ufffd5t\ufffdPY\\r\ufffd\ufffdn\ufffd\ufffdR\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 4, \u0022port_scan_ports_sample\u0022: [4433, 5001, 8443, 9443], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 7, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022http\u0022, \u0022https\u0022, \u0022kdm\u0022, \u0022quic-http3-stub\u0022, \u0022upnp-tcp\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022net_web_probe\u0022, \u0022tls_clienthello\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022net_web_probe\u0022, \u0022tls_clienthello\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":261},{"id":9590698,"ip":"80.87.206.168","ts":"2026-06-18 16:15:03.000000","proto":"tcp","src_port":52738,"dst_port":4433,"service":"quic-http3-stub","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220c00000000485454502f3320686f6e6579706f7420737475620d0a\u0022, \u0022emulator_response_len\u0022: 27, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.848307843303124, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022quic-http3-stub\u0022, \u0022app_proto\u0022: \u0022quic-http3-stub\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 4433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a8bd063f644b84e1de1a05db0b9f17e832ed6e2d\u0022, \u0022event_fingerprint\u0022: \u002269ec763c111675fc5207ef508e4abdef0f3279d4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022quic-http3-stub\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022389f0c8cc7142c2f480e0eb5c6967b8b\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4433, \u0022service\u0022: \u0022quic-http3-stub\u0022, \u0022service_name\u0022: \u0022quic-http3-stub\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdL\ufffd\ufffd\\u0004T\\u0013\\u0005\ufffd\u003E\ufffde\ufffd\ufffd\ufffdty\\u001d\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8\\u0014 x \ufffdS\\t\ufffd\\u0014\\n\ufffd[~\ufffd\ufffd}\\u0006\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdL\ufffd\ufffd\\u0004T\\u0013\\u0005\ufffd\u003E\ufffde\ufffd\ufffd\ufffdty\\u001d\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8\\u0014 x \ufffdS\\t\ufffd\\u0014\\n\ufffd[~\ufffd\ufffd}\\u0006\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdIR\ufffd\\u001d\ufffd\ufffdW\ufffdb\\u000f\ufffd$\\f\\u0010\uf7be\ufffd\ufffdH\ufffd1\u00a7\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdL\ufffd\ufffd\\u0004T\\u0013\\u0005\ufffd\u003E\ufffde\ufffd\ufffd\ufffdty\\u001d\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8\\u0014 x \ufffdS\\t\ufffd\\u0014\\n\ufffd[~\ufffd\ufffd}\\u0006\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225bb14209c145ee2f117b1c098f6a1d8c308741b8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdL\ufffd\ufffd\\u0004T\\u0013\\u0005\ufffd\u003E\ufffde\ufffd\ufffd\ufffdty\\u001d\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8\\u0014 x \ufffdS\\t\ufffd\\u0014\\n\ufffd[~\ufffd\ufffd}\\u0006\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4433, \u0022service\u0022: \u0022quic-http3-stub\u0022, \u0022service_label_fr\u0022: \u0022QUIC HTTP3 STUB\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdL\ufffd\ufffdT\ufffd\u003E\ufffde\ufffd\ufffd\ufffdty\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8 x \ufffdS\\t\ufffd\\n\ufffd[~\ufffd\ufffd}\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via QUIC HTTP3 STUB:4433 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00224433 \u00b7 QUIC HTTP3 STUB\u0022, \u0022emulator_service\u0022: \u0022quic-http3-stub\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via QUIC HTTP3 STUB \u2014 multi-protocole (7 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022quic-http3-stub\u0022, \u0022service_label_fr\u0022: \u0022QUIC HTTP3 STUB\u0022, \u0022dst_port\u0022: 4433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-quic-http3-stub\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdL\ufffd\ufffd\\u0004T\\u0013\\u0005\ufffd\u003E\ufffde\ufffd\ufffd\ufffdty\\u001d\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8\\u0014 x \ufffdS\\t\ufffd\\u0014\\n\ufffd[~\ufffd\ufffd}\\u0006\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 4433, \u0022service\u0022: \u0022quic-http3-stub\u0022, \u0022service_label_fr\u0022: \u0022QUIC HTTP3 STUB\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via QUIC HTTP3 STUB:4433 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdL\ufffd\ufffdT\ufffd\u003E\ufffde\ufffd\ufffd\ufffdty\ufffd\ufffd\u79c0I\ufffdc\ufffdim\u01f8 x \ufffdS\\t\ufffd\\n\ufffd[~\ufffd\ufffd}\ufffd$\ufffd\ufffd\ufffdP\ufffd|\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdi\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00224433 \u00b7 QUIC HTTP3 STUB\u0022, \u0022emulator_service\u0022: \u0022quic-http3-stub\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022quic_http3_stub\u0022, \u0022service_banner\u0022: \u0022honeypot-quic-http3-stub\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 7, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022http\u0022, \u0022https\u0022, \u0022kdm\u0022, \u0022quic-http3-stub\u0022, \u0022upnp-tcp\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_quic_probe\u0022, \u0022quic_http3_stub_emulated\u0022, \u0022quic_http3_stub_payload\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_quic_probe\u0022, \u0022quic_http3_stub_emulated\u0022, \u0022quic_http3_stub_payload\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":261},{"id":9590680,"ip":"80.87.206.168","ts":"2026-06-18 16:14:39.000000","proto":"tcp","src_port":34500,"dst_port":5001,"service":"upnp-tcp","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742075706e705f74637020726561647920706f72743d353030310d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.919736970967773, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022upnp-tcp\u0022, \u0022app_proto\u0022: \u0022upnp-tcp\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022436278379f11f507398419d513ec805702ed650d\u0022, \u0022event_fingerprint\u0022: \u0022a80d71c7dcef6b8541bd0810036e78213dbbe720\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022upnp-tcp\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cd4d0020841a54ac8a9b159f993bd5cf\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5001, \u0022service\u0022: \u0022upnp-tcp\u0022, \u0022service_name\u0022: \u0022upnp-tcp\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003*\ufffd\u0691\\u0001\u003C(\ufffd\\u0016\ufffdH\ufffd\ufffd@\\u001b\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd\\u001a],L \ufffdN\\u00158\\u0000S\\n\\f\ufffdk{,\ufffd\ufffdI\ufffd\u0784\\u0019:\ufffd\ufffd\\u0017:\ufffdg\ufffd\\u0007\ufffd\u063d2\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003*\ufffd\u0691\\u0001\u003C(\ufffd\\u0016\ufffdH\ufffd\ufffd@\\u001b\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd\\u001a],L \ufffdN\\u00158\\u0000S\\n\\f\ufffdk{,\ufffd\ufffdI\ufffd\u0784\\u0019:\ufffd\ufffd\\u0017:\ufffdg\ufffd\\u0007\ufffd\u063d2\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdJ\ufffd=\ufffd\\u0010_\ufffd\\u0019\ufffd\ufffd\ufffd\ufffd\ufffd\u2790~H\ufffd\ufffdi\ufffd\ufffd9\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003*\ufffd\u0691\\u0001\u003C(\ufffd\\u0016\ufffdH\ufffd\ufffd@\\u001b\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd\\u001a],L \ufffdN\\u00158\\u0000S\\n\\f\ufffdk{,\ufffd\ufffdI\ufffd\u0784\\u0019:\ufffd\ufffd\\u0017:\ufffdg\ufffd\\u0007\ufffd\u063d2\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226c69a59b710b7436bd4b84470dea017a2ad50670\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003*\ufffd\u0691\\u0001\u003C(\ufffd\\u0016\ufffdH\ufffd\ufffd@\\u001b\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd\\u001a],L \ufffdN\\u00158\\u0000S\\n\\f\ufffdk{,\ufffd\ufffdI\ufffd\u0784\\u0019:\ufffd\ufffd\\u0017:\ufffdg\ufffd\\u0007\ufffd\u063d2\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5001, \u0022service\u0022: \u0022upnp-tcp\u0022, \u0022service_label_fr\u0022: \u0022UPNP TCP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd*\ufffd\u0691\u003C(\ufffd\ufffdH\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd],L \ufffdN8S\\n\ufffdk{,\ufffd\ufffdI\ufffd\u0784:\ufffd\ufffd:\ufffdg\ufffd\ufffd\u063d2\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via UPNP TCP:5001 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00225001 \u00b7 UPNP TCP\u0022, \u0022emulator_service\u0022: \u0022upnp-tcp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via UPNP TCP \u2014 multi-protocole (6 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022upnp-tcp\u0022, \u0022service_label_fr\u0022: \u0022UPNP TCP\u0022, \u0022dst_port\u0022: 5001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-upnp-tcp\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003*\ufffd\u0691\\u0001\u003C(\ufffd\\u0016\ufffdH\ufffd\ufffd@\\u001b\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd\\u001a],L \ufffdN\\u00158\\u0000S\\n\\f\ufffdk{,\ufffd\ufffdI\ufffd\u0784\\u0019:\ufffd\ufffd\\u0017:\ufffdg\ufffd\\u0007\ufffd\u063d2\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 5001, \u0022service\u0022: \u0022upnp-tcp\u0022, \u0022service_label_fr\u0022: \u0022UPNP TCP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via UPNP TCP:5001 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd*\ufffd\u0691\u003C(\ufffd\ufffdH\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd$G\ufffd],L \ufffdN8S\\n\ufffdk{,\ufffd\ufffdI\ufffd\u0784:\ufffd\ufffd:\ufffdg\ufffd\ufffd\u063d2\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00225001 \u00b7 UPNP TCP\u0022, \u0022emulator_service\u0022: \u0022upnp-tcp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 1 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022upnp_tcp\u0022, \u0022service_banner\u0022: \u0022honeypot-upnp-tcp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 5, \u0022port_scan_ports_sample\u0022: [2053, 5001, 8081, 8443, 8888], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 6, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022http\u0022, \u0022https\u0022, \u0022kdm\u0022, \u0022upnp-tcp\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":261},{"id":9590676,"ip":"80.87.206.168","ts":"2026-06-18 16:14:27.000000","proto":"tcp","src_port":40802,"dst_port":8443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.908657843013905, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 8443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022841a7de3c3cbd932ffe2df923d0bb6a948309046\u0022, \u0022event_fingerprint\u0022: \u002248aa5a12dd4150e072f6d3dd03f9143ac67f8d69\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222d8d51593491dc3f1507e6c092583635\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 42}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\u0027\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\\b\u00cd\\u0010n\ufffd4]\\u000e3\u01ca1S \ufffd\u003C\ufffdg\ufffd\ufffd\ufffd\\u001e\\u0012`%\ufffd\ufffd\ufffd\\u0013\\u0004\u003E\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\u0027\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\\b\u00cd\\u0010n\ufffd4]\\u000e3\u01ca1S \ufffd\u003C\ufffdg\ufffd\ufffd\ufffd\\u001e\\u0012`%\ufffd\ufffd\ufffd\\u0013\\u0004\u003E\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0010\\u0000\\u000e\\u0000\\f\\u0002h2\\bhttp\/1.1\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\\b\ufffdL\ufffd\ufffd\ufffdn\ufffd\u06bb\ufffd#\ufffd\ufffd\\u00166\u003E\ufffd~\\u001df%\\u0005\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\u0027\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\\b\u00cd\\u0010n\ufffd4]\\u000e3\u01ca1S \ufffd\u003C\ufffdg\ufffd\ufffd\ufffd\\u001e\\u0012`%\ufffd\ufffd\ufffd\\u0013\\u0004\u003E\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002206c3b7e3c527731f762d64ee2118fc02416ef24c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\u0027\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\\b\u00cd\\u0010n\ufffd4]\\u000e3\u01ca1S \ufffd\u003C\ufffdg\ufffd\ufffd\ufffd\\u001e\\u0012`%\ufffd\ufffd\ufffd\\u0013\\u0004\u003E\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u0027\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\u00cdn\ufffd4]3\u01ca1S \ufffd\u003C\ufffdg\ufffd\ufffd\ufffd`%\ufffd\ufffd\ufffd\u003E\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (5 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 42, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 8443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\\u0000\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\u0027\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\\b\u00cd\\u0010n\ufffd4]\\u000e3\u01ca1S \ufffd\u003C\ufffdg\ufffd\ufffd\ufffd\\u001e\\u0012`%\ufffd\ufffd\ufffd\\u0013\\u0004\u003E\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000\ufffd\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u0027\ufffdT\/\ufffd7\ufffd\ufffd\ud72cabx\ufffd\ufffdV\u00cdn\ufffd4]3\u01ca1S \ufffd\u003C\ufffdg\ufffd\ufffd\ufffd`%\ufffd\ufffd\ufffd\u003E\ufffdnF\ufffd5\ufffd{\ufffd]\u072b\ufffd\ufffd\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n\ufffd\u0022, \u0022target_port_label\u0022: \u00228443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 5, \u0022port_scan_ports_sample\u0022: [1024, 2053, 8081, 8443, 8888], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 5, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022http\u0022, \u0022https\u0022, \u0022kdm\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022net_web_probe\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022net_web_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":261},{"id":9590604,"ip":"80.87.206.168","ts":"2026-06-18 16:14:03.000000","proto":"tcp","src_port":40182,"dst_port":8888,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00227b4be00556d7e6bfe311880770d4e1c76ac6f59e\u0022, \u0022http_host_hash\u0022: \u002225a58e7d7f0ed40aadf0d51b038172ea9ccc8435\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.059107436252552, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 8888, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002221bf389d850abae9d7161b95ebaf244f6a5f045a\u0022, \u0022event_fingerprint\u0022: \u002249f507c2cf48f6931b95b26ad1848f202640d676\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022, \u0022pat-0599\u0022], \u0022matched_pattern_names\u0022: [\u0022ET zgrab fingerprint\u0022, \u0022UA zgrab\u0022, \u0022HTTP alt 8888 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022, \u0022pat-0599\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ef60d663d36db05cc1e68077f8a0f3fa\u0022, \u0022payload_hash\u0022: \u00224b45d64589c6857948a7f7d7fb4bc275\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022825028b32ffb9289a20016aa6cd43bcb73d512d2\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (5 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8888, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8888\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022target_port_label\u0022: \u00228888 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 6, \u0022port_scan_ports_sample\u0022: [1024, 2053, 5000, 8081, 8443, 8888], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 5, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022http\u0022, \u0022https\u0022, \u0022kdm\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8888","http_user_agent":"Mozilla\/5.0 zgrab\/0.x","http_referer":null,"tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":9590582,"ip":"80.87.206.168","ts":"2026-06-18 16:13:57.000000","proto":"tcp","src_port":52432,"dst_port":2053,"service":"cloudflare-tunnel","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120343034204e6f7420466f756e640d0a5365727665723a20636c6f7564666c6172650d0a436f6e74656e742d4c656e6774683a20300d0a0d0a\u0022, \u0022emulator_response_len\u0022: 65, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.030133217521869, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022cloudflare-tunnel\u0022, \u0022app_proto\u0022: \u0022cloudflare-tunnel\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 2053, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225004ba207ce4d8d47204e0994c4d5fbe107e9847\u0022, \u0022event_fingerprint\u0022: \u0022ecf61e9accc2dacac55d45c01f6f6a64e26c6ab4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_pattern_names\u0022: [\u0022ET zgrab fingerprint\u0022, \u0022UA zgrab\u0022], \u0022pattern_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022cloudflare-tunnel\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227561080f1b8266bfa2f094a55bfa2bc1\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2053, \u0022service\u0022: \u0022cloudflare-tunnel\u0022, \u0022service_name\u0022: \u0022cloudflare-tunnel\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2053\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2053\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2053\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2053\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2053\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e3c0cc33dcf6800365deadc475e56d59186a3dc8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2053\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022port\u0022: 2053, \u0022service\u0022: \u0022cloudflare-tunnel\u0022, \u0022service_label_fr\u0022: \u0022CLOUDFLARE TUNNEL\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2053\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via CLOUDFLARE TUNNEL:2053 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00222053 \u00b7 CLOUDFLARE TUNNEL\u0022, \u0022emulator_service\u0022: \u0022cloudflare-tunnel\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CLOUDFLARE TUNNEL \u2014 multi-protocole (5 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022cloudflare-tunnel\u0022, \u0022service_label_fr\u0022: \u0022CLOUDFLARE TUNNEL\u0022, \u0022dst_port\u0022: 2053, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-cloudflare-tunnel\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2053\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022port\u0022: 2053, \u0022service\u0022: \u0022cloudflare-tunnel\u0022, \u0022service_label_fr\u0022: \u0022CLOUDFLARE TUNNEL\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via CLOUDFLARE TUNNEL:2053 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2053\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022target_port_label\u0022: \u00222053 \u00b7 CLOUDFLARE TUNNEL\u0022, \u0022emulator_service\u0022: \u0022cloudflare-tunnel\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022cloudflare_tunnel\u0022, \u0022service_banner\u0022: \u0022honeypot-cloudflare-tunnel\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222053\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 6, \u0022port_scan_ports_sample\u0022: [1024, 2053, 5000, 8081, 8443, 30005], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 5, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022cloudflare-tunnel\u0022, \u0022http\u0022, \u0022https\u0022, \u0022kdm\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022cloudflare_tunnel_emulated\u0022, \u0022cloudflare_tunnel_payload\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022cloudflare_tunnel_emulated\u0022, \u0022cloudflare_tunnel_payload\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":112},{"id":9590534,"ip":"80.87.206.168","ts":"2026-06-18 16:13:45.000000","proto":"tcp","src_port":40356,"dst_port":8081,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00227b4be00556d7e6bfe311880770d4e1c76ac6f59e\u0022, \u0022http_host_hash\u0022: \u00221994c0ff95f3f16c5fa9177d852edc4f1a4a8a24\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.059107436252552, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223c5b0d89e6b0f305d9e07fe5cbb06c60582917dc\u0022, \u0022event_fingerprint\u0022: \u00226200042a8eedd96c47b109adc0963a36d177f604\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_pattern_names\u0022: [\u0022ET zgrab fingerprint\u0022, \u0022UA zgrab\u0022], \u0022pattern_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ef60d663d36db05cc1e68077f8a0f3fa\u0022, \u0022payload_hash\u0022: \u00220907dd8a11e812f73678094cd91a73a1\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022408ee1b1443139e694d4a33d86cd53a1d2eb8491\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8081 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (4 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8081 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8081\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 5, \u0022port_scan_ports_sample\u0022: [1024, 5000, 8081, 8443, 30005], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 4, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022http\u0022, \u0022https\u0022, \u0022kdm\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8081","http_user_agent":"Mozilla\/5.0 zgrab\/0.x","http_referer":null,"tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":9590485,"ip":"80.87.206.168","ts":"2026-06-18 16:13:33.000000","proto":"tcp","src_port":51320,"dst_port":1024,"service":"kdm","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206b646d20726561647920706f72743d313032340d0a\u0022, \u0022emulator_response_len\u0022: 34, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.059107436252552, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022kdm\u0022, \u0022app_proto\u0022: \u0022kdm\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 1024, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 1.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 51, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b9ed8eedb2d7cacf7f6c17864d36d17850957319\u0022, \u0022event_fingerprint\u0022: \u002243a391efbc4b959775b89d3fc895feaf23a04a6b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_pattern_names\u0022: [\u0022ET zgrab fingerprint\u0022, \u0022UA zgrab\u0022], \u0022pattern_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022kdm\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226dee61d45f8169c1d825ad21fa7b14b0\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1024, \u0022service\u0022: \u0022kdm\u0022, \u0022service_name\u0022: \u0022kdm\u0022, \u0022risk_score\u0022: 51}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1024\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1024\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1024\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1024\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1024\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002291d54467330cf1a6ad2d4feb9a420f9c6b060a7a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1024\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022port\u0022: 1024, \u0022service\u0022: \u0022kdm\u0022, \u0022service_label_fr\u0022: \u0022KDM\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1024\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via KDM:1024 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00221024 \u00b7 KDM\u0022, \u0022emulator_service\u0022: \u0022kdm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via KDM \u2014 multi-protocole (4 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 51, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 51, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022kdm\u0022, \u0022service_label_fr\u0022: \u0022KDM\u0022, \u0022dst_port\u0022: 1024, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-kdm\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1024\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022port\u0022: 1024, \u0022service\u0022: \u0022kdm\u0022, \u0022service_label_fr\u0022: \u0022KDM\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via KDM:1024 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1024\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022target_port_label\u0022: \u00221024 \u00b7 KDM\u0022, \u0022emulator_service\u0022: \u0022kdm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022kdm\u0022, \u0022service_banner\u0022: \u0022honeypot-kdm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221024\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 5, \u0022port_scan_ports_sample\u0022: [1024, 5000, 8089, 8443, 30005], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 4, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022http\u0022, \u0022https\u0022, \u0022kdm\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":112},{"id":9590441,"ip":"80.87.206.168","ts":"2026-06-18 16:13:21.000000","proto":"tcp","src_port":40800,"dst_port":8443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.083704646093297, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 8443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222aa17a6b515596b20eaea8d57184d62da9f48dfc\u0022, \u0022event_fingerprint\u0022: \u002248aa5a12dd4150e072f6d3dd03f9143ac67f8d69\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_pattern_names\u0022: [\u0022ET zgrab fingerprint\u0022, \u0022UA zgrab\u0022], \u0022pattern_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221fa84916b207202da032b73901af3ba3\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223c99aacb5faf9c458f6db3db5aa5b4daecca3865\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (3 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 8443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8443\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022target_port_label\u0022: \u00228443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 5, \u0022port_scan_ports_sample\u0022: [5000, 8085, 8089, 8443, 30005], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022http\u0022, \u0022https\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":112},{"id":9590400,"ip":"80.87.206.168","ts":"2026-06-18 16:13:09.000000","proto":"tcp","src_port":60316,"dst_port":5000,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c\u0022, \u0022emulator_response_len\u0022: 158, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00227b4be00556d7e6bfe311880770d4e1c76ac6f59e\u0022, \u0022http_host_hash\u0022: \u0022b3fecad1903fbad7bf672cc5a25c971b97553846\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.009913016571061, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5000, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e727e1636ef6f6717e04d6bacfac19cbfb94845c\u0022, \u0022event_fingerprint\u0022: \u002275a3a9e560bcdbdbc1d9fd15750e1b81cebffe01\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_pattern_names\u0022: [\u0022ET zgrab fingerprint\u0022, \u0022UA zgrab\u0022], \u0022pattern_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ef60d663d36db05cc1e68077f8a0f3fa\u0022, \u0022payload_hash\u0022: \u0022f2a79c89c01b43d675ffe5a87379ca62\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5000\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5000\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5000\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5000\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5000\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d07b78c14d1aaf4c381cffcdfd00651ae4fe9001\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 5000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5000\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:5000 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00225000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 5000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:5000 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5000\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022target_port_label\u0022: \u00225000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 5, \u0022port_scan_ports_sample\u0022: [5000, 8080, 8085, 8089, 30005], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:5000","http_user_agent":"Mozilla\/5.0 zgrab\/0.x","http_referer":null,"tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":9590351,"ip":"80.87.206.168","ts":"2026-06-18 16:12:57.000000","proto":"tcp","src_port":33104,"dst_port":30005,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00227b4be00556d7e6bfe311880770d4e1c76ac6f59e\u0022, \u0022http_host_hash\u0022: \u002235199aec1f494705c37d247e1616159f8ad2f9f2\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 113, \u0022payload_entropy\u0022: 5.009925812748559, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 30005, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002216f2c69fbeec29d3107d62b26f28dc49c9e75251\u0022, \u0022event_fingerprint\u0022: \u00223016f3038977b9eb47c64c3c6038ddbf5d0479fe\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_pattern_names\u0022: [\u0022ET zgrab fingerprint\u0022, \u0022UA zgrab\u0022], \u0022pattern_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ef60d663d36db05cc1e68077f8a0f3fa\u0022, \u0022payload_hash\u0022: \u002203d1baaca5649d0cbd360145392e7ec4\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 30005, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:30005\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:30005\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:30005\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:30005\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:30005\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228dba8c09d0b889957cfea8d9517fc6e2c7d1a501\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 30005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:30005\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:30005 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u002230005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 30005, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 30005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:30005 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:30005\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022target_port_label\u0022: \u002230005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002230005\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 5, \u0022port_scan_ports_sample\u0022: [4567, 8080, 8085, 8089, 30005], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:30005","http_user_agent":"Mozilla\/5.0 zgrab\/0.x","http_referer":null,"tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":4,"bytes_in":113},{"id":9590273,"ip":"80.87.206.168","ts":"2026-06-18 16:12:38.000000","proto":"tcp","src_port":60196,"dst_port":8089,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00227b4be00556d7e6bfe311880770d4e1c76ac6f59e\u0022, \u0022http_host_hash\u0022: \u00226e7855f9d1ec5b350040e6a7fa2c7046d35c68a6\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.083704646093297, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 8089, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223dcbd718aee25c603659d401ebc89ec17c0e8d26\u0022, \u0022event_fingerprint\u0022: \u0022ba90420e23c65aee85f6aad281e4572aebff6d6e\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 293, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_pattern_names\u0022: [\u0022ET zgrab fingerprint\u0022, \u0022UA zgrab\u0022], \u0022pattern_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ef60d663d36db05cc1e68077f8a0f3fa\u0022, \u0022payload_hash\u0022: \u0022d92e9af195da9d51503f7cfc50e8a760\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8089, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8089\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8089\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8089\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8089\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8089\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022448d5533a01bf301ea55c179dafdfd447a978b98\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 8089, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8089\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8089 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228089 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8089, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-scan-burst\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Scan Burst\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 8089, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8089 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8089\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022target_port_label\u0022: \u00228089 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228089\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 5, \u0022port_scan_ports_sample\u0022: [4567, 7547, 8080, 8085, 8089], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8089","http_user_agent":"Mozilla\/5.0 zgrab\/0.x","http_referer":null,"tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":9590242,"ip":"80.87.206.168","ts":"2026-06-18 16:12:32.000000","proto":"tcp","src_port":47150,"dst_port":8085,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00227b4be00556d7e6bfe311880770d4e1c76ac6f59e\u0022, \u0022http_host_hash\u0022: \u00228307e910dac7083f4f0d52abcc8375f89d55b254\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.059107436252552, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 8085, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022695676f411c001dad49368f0d91e62d9922c1e85\u0022, \u0022event_fingerprint\u0022: \u00223ba3caf85b54604d2e5345c79177ef73dd4d9056\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_pattern_names\u0022: [\u0022ET zgrab fingerprint\u0022, \u0022UA zgrab\u0022], \u0022pattern_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 14}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ef60d663d36db05cc1e68077f8a0f3fa\u0022, \u0022payload_hash\u0022: \u002230ebfef5265d94efd52dfa1725158432\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8085, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022110c6b2a4f7aa94f7daa86d3cef66f7be0ce11dd\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 8085, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8085 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228085 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 14}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8085, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022campagne_ports\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Campagne multi-ports\u0022, \u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +14\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 8085, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8085 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8085\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022target_port_label\u0022: \u00228085 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228085\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 4, \u0022port_scan_ports_sample\u0022: [4567, 7547, 8080, 8085], \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022, \u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 14, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8085","http_user_agent":"Mozilla\/5.0 zgrab\/0.x","http_referer":null,"tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":9590187,"ip":"80.87.206.168","ts":"2026-06-18 16:12:20.000000","proto":"tcp","src_port":50830,"dst_port":8080,"service":"http","classification":"port_scan_syn","waf_score":9,"waf_tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 81, \u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00227b4be00556d7e6bfe311880770d4e1c76ac6f59e\u0022, \u0022http_host_hash\u0022: \u0022c9908f9a31aefa5902e21ee9fa132cbe056c536d\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.051475713285826, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 8080, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b1c1d63cb11f530ae59ec2181946dabedd690d9a\u0022, \u0022event_fingerprint\u0022: \u0022e8d7e440ce64622852a586f753bfe5d0110d3e76\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 231, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022matched_patterns\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_pattern_names\u0022: [\u0022ET zgrab fingerprint\u0022, \u0022UA zgrab\u0022], \u0022pattern_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ef60d663d36db05cc1e68077f8a0f3fa\u0022, \u0022payload_hash\u0022: \u002215db5e6ccbc8cf8875fac67e31c3f499\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222a8c39bd357204ae6b399709d08cfb8137a7951a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022attack_stage_label\u0022: \u0022Reconnaissance\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-beh-multi-port-60s\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022Beh Multi Port 60S\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 8080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8080\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022target_port_label\u0022: \u00228080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8080","http_user_agent":"Mozilla\/5.0 zgrab\/0.x","http_referer":null,"tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":9590124,"ip":"80.87.206.168","ts":"2026-06-18 16:12:08.000000","proto":"tcp","src_port":50292,"dst_port":4567,"service":"aws-ecs-agent","classification":"scanner_vuln","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206177735f6563735f6167656e7420726561647920706f72743d343536370d0a\u0022, \u0022emulator_response_len\u0022: 44, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.0880816549832355, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022aws-ecs-agent\u0022, \u0022app_proto\u0022: \u0022aws-ecs-agent\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 4567, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002251ebd422486eaae9d380a4b426af602a2fb5a6cc\u0022, \u0022event_fingerprint\u0022: \u0022ed5db39ce4a1ce0fda50382d1438797185e5f337\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 108, \u0022precision_signals\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_patterns\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_pattern_names\u0022: [\u0022ET zgrab fingerprint\u0022, \u0022UA zgrab\u0022], \u0022pattern_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 49, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022vuln_scanner\u0022, \u0022service_name\u0022: \u0022aws-ecs-agent\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222b62e1a5dc99586600e0ecc5d14565d4\u0022, \u0022path_pattern_hash\u0022: \u0022b71c8aad2b015494f15e7bb035951b05\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4567, \u0022service\u0022: \u0022aws-ecs-agent\u0022, \u0022service_name\u0022: \u0022aws-ecs-agent\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223edeefbe4e92c5a06701e4a5b12264b7224f70ee\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022port\u0022: 4567, \u0022service\u0022: \u0022aws-ecs-agent\u0022, \u0022service_label_fr\u0022: \u0022AWS ECS AGENT\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via AWS ECS AGENT:4567 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224567 \u00b7 AWS ECS AGENT\u0022, \u0022emulator_service\u0022: \u0022aws-ecs-agent\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 49\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 49, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 49, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022aws-ecs-agent\u0022, \u0022service_label_fr\u0022: \u0022AWS ECS AGENT\u0022, \u0022dst_port\u0022: 4567, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-aws-ecs-agent\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022port\u0022: 4567, \u0022service\u0022: \u0022aws-ecs-agent\u0022, \u0022service_label_fr\u0022: \u0022AWS ECS AGENT\u0022}, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via AWS ECS AGENT:4567 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:4567\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022target_port_label\u0022: \u00224567 \u00b7 AWS ECS AGENT\u0022, \u0022emulator_service\u0022: \u0022aws-ecs-agent\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022aws_ecs_agent\u0022, \u0022service_banner\u0022: \u0022honeypot-aws-ecs-agent\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224567\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022aws-ecs-agent\u0022, \u0022http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022aws_ecs_agent_emulated\u0022, \u0022aws_ecs_agent_payload\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_cloud_scanner\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022aws_ecs_agent_emulated\u0022, \u0022aws_ecs_agent_payload\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_cloud_scanner\u0022]","anomalies":"[]","severity":7,"bytes_in":112},{"id":9590021,"ip":"80.87.206.168","ts":"2026-06-18 16:11:44.000000","proto":"tcp","src_port":56088,"dst_port":7547,"service":"http","classification":"scanner_vuln","waf_score":9,"waf_tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00227b4be00556d7e6bfe311880770d4e1c76ac6f59e\u0022, \u0022http_host_hash\u0022: \u002289d87453121897c0b4544fa397f8c826335c2714\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.0880816549832355, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 7547, \u0022risk_waf\u0022: 44.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fc0531b7dcf11f6f1988f58d7f30f61926a9309d\u0022, \u0022event_fingerprint\u0022: \u0022986353bc470389ce8fd34d587b920c685e27e0a3\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 108, \u0022precision_signals\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_patterns\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022matched_pattern_names\u0022: [\u0022ET zgrab fingerprint\u0022, \u0022UA zgrab\u0022], \u0022pattern_ids\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022vuln_scanner\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ef60d663d36db05cc1e68077f8a0f3fa\u0022, \u0022payload_hash\u0022: \u0022b5850fa0422c1a3f54d66fa4cacae350\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7547, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7547\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7547\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7547\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7547\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7547\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002256dbccd540a13ed9d616b9da159d5fe27d603287\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 7547, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7547\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:7547 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227547 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 44.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7547, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0594\u0022, \u0022pat-0458\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 zgrab\/0.x\u0022, \u0022port\u0022: 7547, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022scanner vuln \u00b7 via HTTP:7547 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:7547\\r\\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\u0022, \u0022target_port_label\u0022: \u00227547 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 44 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227547\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:7547","http_user_agent":"Mozilla\/5.0 zgrab\/0.x","http_referer":null,"tags":"[\u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":9589321,"ip":"80.87.206.168","ts":"2026-06-18 15:59:37.000000","proto":"tcp","src_port":33540,"dst_port":5460,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 24, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 5.024802760452281, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5460, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022746c55b23b166b0a365595ab977f5e0aea5f05e1\u0022, \u0022event_fingerprint\u0022: \u00220ec653656c3cd8fc5ce59110ea0fbcc18bd95188\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022payload_hash\u0022: \u0022f529abb4a2c11c276aa248ba0abd7b66\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5460, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdh\\u0015\ufffd\\t\ufffd-\ufffd\\u0011Y\\u0006\ufffd\ufffd\u0026\ufffd\ufffdl\\u000ehg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[\\u00109\ufffd\\u0018\ufffdqK\\u0004\u003C\u0027\ufffd\ufffd\\u0011\ufffdvui\\u001c\ufffd?\ufffd\\b\ufffd\ufffd\\u0012\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdh\\u0015\ufffd\\t\ufffd-\ufffd\\u0011Y\\u0006\ufffd\ufffd\u0026\ufffd\ufffdl\\u000ehg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[\\u00109\ufffd\\u0018\ufffdqK\\u0004\u003C\u0027\ufffd\ufffd\\u0011\ufffdvui\\u001c\ufffd?\ufffd\\b\ufffd\ufffd\\u0012\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001\\u0005\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdh\\u0015\ufffd\\t\ufffd-\ufffd\\u0011Y\\u0006\ufffd\ufffd\u0026\ufffd\ufffdl\\u000ehg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[\\u00109\ufffd\\u0018\ufffdqK\\u0004\u003C\u0027\ufffd\ufffd\\u0011\ufffdvui\\u001c\ufffd?\ufffd\\b\ufffd\ufffd\\u0012\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228a6fe9a9e594bc6df7b23c4c708fd5df721f4ec6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdh\\u0015\ufffd\\t\ufffd-\ufffd\\u0011Y\\u0006\ufffd\ufffd\u0026\ufffd\ufffdl\\u000ehg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[\\u00109\ufffd\\u0018\ufffdqK\\u0004\u003C\u0027\ufffd\ufffd\\u0011\ufffdvui\\u001c\ufffd?\ufffd\\b\ufffd\ufffd\\u0012\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022tls_ja3\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022port\u0022: 5460, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdh\ufffd\\t\ufffd-\ufffdY\ufffd\ufffd\u0026\ufffd\ufffdlhg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[9\ufffd\ufffdqK\u003C\u0027\ufffd\ufffd\ufffdvui\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5460 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225460 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 5460, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdh\\u0015\ufffd\\t\ufffd-\ufffd\\u0011Y\\u0006\ufffd\ufffd\u0026\ufffd\ufffdl\\u000ehg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[\\u00109\ufffd\\u0018\ufffdqK\\u0004\u003C\u0027\ufffd\ufffd\\u0011\ufffdvui\\u001c\ufffd?\ufffd\\b\ufffd\ufffd\\u0012\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022tls_ja3\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022port\u0022: 5460, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5460 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdh\ufffd\\t\ufffd-\ufffdY\ufffd\ufffd\u0026\ufffd\ufffdlhg\u0345\ufffdFv\ufffdH\ufffdal\ufffd TME 2[9\ufffd\ufffdqK\u003C\u0027\ufffd\ufffd\ufffdvui\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00225460 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225460\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:5460\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"cc61f04eb7a2e049ef5095a5eb5a4ae0","tls_ja3":"771,4866-4867-4865-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-69-68-49176-52-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":517},{"id":9589313,"ip":"80.87.206.168","ts":"2026-06-18 15:59:25.000000","proto":"tcp","src_port":33482,"dst_port":5460,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 24, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 5.0654042279435245, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5460, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022746c55b23b166b0a365595ab977f5e0aea5f05e1\u0022, \u0022event_fingerprint\u0022: \u00220ec653656c3cd8fc5ce59110ea0fbcc18bd95188\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022payload_hash\u0022: \u0022a3b699a1d25d1ecf7d78a62d0516e8df\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5460, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd\u003Ct|\\nF\ufffd\ufffd=\ufffd\\u000b\ufffd\\\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd\u003Ct|\\nF\ufffd\ufffd=\ufffd\\u000b\ufffd\\\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001\\u0005\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd\u003Ct|\\nF\ufffd\ufffd=\ufffd\\u000b\ufffd\\\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd\u003Ct|\\nF\ufffd\ufffd=\ufffd\\u000b\ufffd\\\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001\\u0005\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd\u003Ct|\\nF\ufffd\ufffd=\ufffd\\u000b\ufffd\\\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225dc02ff53099bb3c00bfccc92c50374bb49f7c0b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd\u003Ct|\\nF\ufffd\ufffd=\ufffd\\u000b\ufffd\\\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022tls_ja3\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022port\u0022: 5460, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u00ef9\ufffd3\ufffd\ufffd`\\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd\u003Ct|\\nF\ufffd\ufffd=\ufffd\ufffd\\\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5460 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225460 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 5460, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u000e\ufffd\u00ef9\ufffd3\ufffd\ufffd`\\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd\u003Ct|\\nF\ufffd\ufffd=\ufffd\\u000b\ufffd\\\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022tls_ja3\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022port\u0022: 5460, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5460 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u00ef9\ufffd3\ufffd\ufffd`\\nc(\ufffd\ufffd\ufffd}\ufffdh\ufffd\ufffd+i\ufffd\ufffd!\ufffd9\ufffd\ufffd@\ufffd \ufffd\ufffdq\ufffdAo\ufffd\ufffd\ufffd\u003Ct|\\nF\ufffd\ufffd=\ufffd\ufffd\\\\\ufffdK\ufffd\ufffdkZ\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00225460 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225460\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:5460\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"cc61f04eb7a2e049ef5095a5eb5a4ae0","tls_ja3":"771,4866-4867-4865-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-69-68-49176-52-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":517},{"id":9589306,"ip":"80.87.206.168","ts":"2026-06-18 15:59:08.000000","proto":"tcp","src_port":33442,"dst_port":5460,"service":null,"classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 345, \u0022payload_entropy\u0022: 5.344543586395236, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5460, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002235fb90409aea30624a7ccc0f67ebfe8311bb2272\u0022, \u0022event_fingerprint\u0022: \u00223e4e54a14b1e9a792dd3f6fe3666942486471606\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022SIP protocol\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002267d26fbb99e7a325a5cb0b7e2d648f52\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5460, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\\r\\nMax-Forwards: 70\\r\\nCall-ID: c6a0c1e1\u0022, \u0022request_sample\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\\r\\nMax-Forwards: 70\\r\\nCall-ID: c6a0c1e1-001e-4a9a-887a-4cb5d0637c59\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:52738570472@62.3.50.33\u003E\\r\\nFrom: \u003Csip:52738570472@192.168.10.127\u003E;tag=59\u0022, \u0022payload_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\\r\\nMax-Forwards: 70\\r\\nCall-ID: c6a0c1e1\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\\r\\nMax-Forwards: 70\\r\\nCall-ID: c6a0c1e1-001e-4a9a-887a-4cb5d0637c59\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:52738570472@62.3.50.33\u003E\\r\\nFrom: \u003Csip:52738570472@192.168.10.127\u003E;tag=59\u0022, \u0022payload_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\\r\\nMax-Forwards: 70\\r\\nCall-ID: c6a0c1e1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f920aab38e35a635872e7aa81f829fa79ec2deb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\\r\\nMax-Forwards: 70\\r\\nCall-ID: c6a0c1e1\u0022, \u0022port\u0022: 5460}, \u0022evidence_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\\r\\nMax-Forwards: 70\\r\\nCall-ID: c6a0c1e1\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 port 5460 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225460\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 multi-protocole (3 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 5460, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\\r\\nMax-Forwards: 70\\r\\nCall-ID: c6a0c1e1\u0022, \u0022port\u0022: 5460}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 port 5460 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.127:33442;branch=z9hG4bK-34314\\r\\nMax-Forwards: 70\\r\\nCall-ID: c6a0c1e1\u0022, \u0022target_port_label\u0022: \u00225460\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225460\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:5460\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":345},{"id":9589298,"ip":"80.87.206.168","ts":"2026-06-18 15:58:51.000000","proto":"tcp","src_port":33374,"dst_port":5460,"service":"http","classification":"http_smuggling_probe","waf_score":28,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022]","http_method":"OPTIONS","http_target":"sip:62.3.50.33","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002233\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022a93b9fae74730e34a8148a6bdc278533115dc4a8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022OPTIONS\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 337, \u0022payload_entropy\u0022: 5.373446938121617, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5460, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 66, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002278fe0ed4f7c10a1484d2bacac8c87d321d4a38e4\u0022, \u0022event_fingerprint\u0022: \u0022b6db3128c005ca7a6003459f003fc31aa2dffd60\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022SIP protocol\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad40176df1fe8283ea2730d49383a6a0\u0022, \u0022path_pattern_hash\u0022: \u002254f584808f270c653072560c766be65a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5460, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 66}, \u0022payload_preview\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\\r\\nMax-Forwards: 70\\r\\nCall-ID: d46be445-0\u0022, \u0022method\u0022: \u0022OPTIONS\u0022, \u0022path\u0022: \u0022sip:62.3.50.33\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022OPTIONS sip:62.3.50.33 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\\r\\nMax-Forwards: 70\\r\\nCall-ID: d46be445-0aba-4679-8827-26cea8745b16\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:62.3.50.33\u003E\\r\\nFrom: \u003Csip:87386788069@192.168.10.82\u003E;tag=8136\\r\\nCSeq: 1 OPT\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\\r\\nMax-Forwards: 70\\r\\nCall-ID: d46be445-0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022OPTIONS\u0022, \u0022path\u0022: \u0022sip:62.3.50.33\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022OPTIONS sip:62.3.50.33 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\\r\\nMax-Forwards: 70\\r\\nCall-ID: d46be445-0aba-4679-8827-26cea8745b16\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:62.3.50.33\u003E\\r\\nFrom: \u003Csip:87386788069@192.168.10.82\u003E;tag=8136\\r\\nCSeq: 1 OPT\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\\r\\nMax-Forwards: 70\\r\\nCall-ID: d46be445-0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223847e158484f1aadaa336401b0b32e9806ac0b72\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022OPTIONS\u0022, \u0022http_path\u0022: \u0022sip:62.3.50.33\u0022, \u0022request_line\u0022: \u0022OPTIONS sip:62.3.50.33 HTTP\/1.1\u0022, \u0022port\u0022: 5460, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\\r\\nMax-Forwards: 70\\r\\nCall-ID: d46be445-0\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:5460 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 sip:62.3.50.33\u0022, \u0022target_port_label\u0022: \u00225460 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 66, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 66, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5460, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022OPTIONS\u0022, \u0022http_path\u0022: \u0022sip:62.3.50.33\u0022, \u0022request_line\u0022: \u0022OPTIONS sip:62.3.50.33 HTTP\/1.1\u0022, \u0022port\u0022: 5460, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:5460 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 sip:62.3.50.33\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.82:33374;branch=z9hG4bK-63388\\r\\nMax-Forwards: 70\\r\\nCall-ID: d46be445-0\u0022, \u0022target_port_label\u0022: \u00225460 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225460\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:5260\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"SIP\/2.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":10,"bytes_in":337},{"id":9589121,"ip":"80.87.206.168","ts":"2026-06-18 15:54:31.000000","proto":"tcp","src_port":36724,"dst_port":5260,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 24, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 5.066284882808564, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5260, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e5148bdfe6a1bff0ccf7c6f590968ebc05bedb8e\u0022, \u0022event_fingerprint\u0022: \u0022ddae32505acafdc7a824386068e014572fcc2e2e\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022payload_hash\u0022: \u0022f0d9b8e047f2ad81737de211af31c132\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5260, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\\u001a\ufffd\\u001eQNt\\f\ufffdA\\u0011=!\u063cK\\u001e\ufffd}\\u0007\ufffd )\ufffd\u0455\\\u0022\\u0011S\ufffd\\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\\u0007g\ufffd^)8\ufffd\ufffdL\\u001aGk\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\\u001a\ufffd\\u001eQNt\\f\ufffdA\\u0011=!\u063cK\\u001e\ufffd}\\u0007\ufffd )\ufffd\u0455\\\u0022\\u0011S\ufffd\\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\\u0007g\ufffd^)8\ufffd\ufffdL\\u001aGk\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001\\u0005\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\\u001a\ufffd\\u001eQNt\\f\ufffdA\\u0011=!\u063cK\\u001e\ufffd}\\u0007\ufffd )\ufffd\u0455\\\u0022\\u0011S\ufffd\\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\\u0007g\ufffd^)8\ufffd\ufffdL\\u001aGk\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\\u001a\ufffd\\u001eQNt\\f\ufffdA\\u0011=!\u063cK\\u001e\ufffd}\\u0007\ufffd )\ufffd\u0455\\\u0022\\u0011S\ufffd\\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\\u0007g\ufffd^)8\ufffd\ufffdL\\u001aGk\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001\\u0005\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\\u001a\ufffd\\u001eQNt\\f\ufffdA\\u0011=!\u063cK\\u001e\ufffd}\\u0007\ufffd )\ufffd\u0455\\\u0022\\u0011S\ufffd\\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\\u0007g\ufffd^)8\ufffd\ufffdL\\u001aGk\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002213a5448220366f9a32fbeed551d5df7029b8d939\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\\u001a\ufffd\\u001eQNt\\f\ufffdA\\u0011=!\u063cK\\u001e\ufffd}\\u0007\ufffd )\ufffd\u0455\\\u0022\\u0011S\ufffd\\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\\u0007g\ufffd^)8\ufffd\ufffdL\\u001aGk\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022tls_ja3\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022port\u0022: 5260, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0291R\ufffdx.G\ufffd,\ufffd3\ufffdQNt\ufffdA=!\u063cK\ufffd}\ufffd )\ufffd\u0455\\\u0022S\ufffdc\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678g\ufffd^)8\ufffd\ufffdLGk\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5260 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225260 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 5260, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u0291R\ufffdx.G\ufffd,\ufffd3\\u001a\ufffd\\u001eQNt\\f\ufffdA\\u0011=!\u063cK\\u001e\ufffd}\\u0007\ufffd )\ufffd\u0455\\\u0022\\u0011S\ufffd\\u0014c\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678\\u0007g\ufffd^)8\ufffd\ufffdL\\u001aGk\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022tls_ja3\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022port\u0022: 5260, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5260 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0291R\ufffdx.G\ufffd,\ufffd3\ufffdQNt\ufffdA=!\u063cK\ufffd}\ufffd )\ufffd\u0455\\\u0022S\ufffdc\ufffd\u0454P\ufffd\ufffdT\ufffd\u0678g\ufffd^)8\ufffd\ufffdLGk\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00225260 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225260\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:5260\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"cc61f04eb7a2e049ef5095a5eb5a4ae0","tls_ja3":"771,4866-4867-4865-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-69-68-49176-52-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":517},{"id":9589116,"ip":"80.87.206.168","ts":"2026-06-18 15:54:21.000000","proto":"tcp","src_port":36690,"dst_port":5260,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 24, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 5.072341519576699, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5260, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e5148bdfe6a1bff0ccf7c6f590968ebc05bedb8e\u0022, \u0022event_fingerprint\u0022: \u0022ddae32505acafdc7a824386068e014572fcc2e2e\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022payload_hash\u0022: \u0022b222237c26d76bfb8f65d1a739c429f9\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5260, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u05b9Ea\\u0004O\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000M\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\\u001a\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYG\\u0012\\u001cqn\ufffd\ufffd{\ufffd\\u0005\\u000b\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u05b9Ea\\u0004O\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000M\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\\u001a\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYG\\u0012\\u001cqn\ufffd\ufffd{\ufffd\\u0005\\u000b\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001\\u0005\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u05b9Ea\\u0004O\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000M\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\\u001a\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYG\\u0012\\u001cqn\ufffd\ufffd{\ufffd\\u0005\\u000b\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225105e06ec1f1c36e8a709fea16980e651633ba6d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u05b9Ea\\u0004O\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000M\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\\u001a\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYG\\u0012\\u001cqn\ufffd\ufffd{\ufffd\\u0005\\u000b\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022tls_ja3\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022port\u0022: 5260, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u05b9EaO\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYGqn\ufffd\ufffd{\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5260 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225260 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 5260, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\u05b9Ea\\u0004O\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000M\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\\u001a\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYG\\u0012\\u001cqn\ufffd\ufffd{\ufffd\\u0005\\u000b\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022tls_ja3\u0022: \u0022cc61f04eb7a2e049ef5095a5eb5a4ae0\u0022, \u0022port\u0022: 5260, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5260 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u05b9EaO\ufffdd\ufffd\ufffdTK\ufffd\ufffd\u0721W\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd J\ufffd\ufffd\ufffdl\ufffd\u0087%\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdYGqn\ufffd\ufffd{\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00225260 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225260\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:5260\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"cc61f04eb7a2e049ef5095a5eb5a4ae0","tls_ja3":"771,4866-4867-4865-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-69-68-49176-52-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,11-10-35-22-23-13-43-45-51-21,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":517},{"id":9589097,"ip":"80.87.206.168","ts":"2026-06-18 15:53:59.000000","proto":"tcp","src_port":36614,"dst_port":5260,"service":null,"classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 342, \u0022payload_entropy\u0022: 5.318814976358084, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5260, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b4610eb050847ed96c6cd81e6a71c41e70502810\u0022, \u0022event_fingerprint\u0022: \u0022970a602c9cb9139334731e2a834b5c2a7f773580\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022SIP protocol\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d91c15d35e6a8e4f68d0ba796cfe3a98\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5260, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\\r\\nMax-Forwards: 70\\r\\nCall-ID: 1005620f-\u0022, \u0022request_sample\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\\r\\nMax-Forwards: 70\\r\\nCall-ID: 1005620f-31e6-473e-900a-c3a2d63966ca\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:57557315659@62.3.50.33\u003E\\r\\nFrom: \u003Csip:57557315659@192.168.10.69\u003E;tag=3267\u0022, \u0022payload_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\\r\\nMax-Forwards: 70\\r\\nCall-ID: 1005620f-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\\r\\nMax-Forwards: 70\\r\\nCall-ID: 1005620f-31e6-473e-900a-c3a2d63966ca\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:57557315659@62.3.50.33\u003E\\r\\nFrom: \u003Csip:57557315659@192.168.10.69\u003E;tag=3267\u0022, \u0022payload_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\\r\\nMax-Forwards: 70\\r\\nCall-ID: 1005620f-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222c0d1b9351991598e87e135da7ced06797c39e5f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\\r\\nMax-Forwards: 70\\r\\nCall-ID: 1005620f-\u0022, \u0022port\u0022: 5260}, \u0022evidence_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\\r\\nMax-Forwards: 70\\r\\nCall-ID: 1005620f-\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 port 5260 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225260\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 multi-protocole (3 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 5260, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\\r\\nMax-Forwards: 70\\r\\nCall-ID: 1005620f-\u0022, \u0022port\u0022: 5260}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 port 5260 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.69:36614;branch=z9hG4bK-34318\\r\\nMax-Forwards: 70\\r\\nCall-ID: 1005620f-\u0022, \u0022target_port_label\u0022: \u00225260\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225260\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:5260\u0022, \u0022sip-tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":342},{"id":9589083,"ip":"80.87.206.168","ts":"2026-06-18 15:53:41.000000","proto":"tcp","src_port":36568,"dst_port":5260,"service":"http","classification":"http_smuggling_probe","waf_score":28,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022]","http_method":"OPTIONS","http_target":"sip:62.3.50.33","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002233\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022a93b9fae74730e34a8148a6bdc278533115dc4a8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022OPTIONS\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 341, \u0022payload_entropy\u0022: 5.388625332383987, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5260, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002250fdb8d477ace93e66ff7c1364cf4f601128a6b1\u0022, \u0022event_fingerprint\u0022: \u0022ca42298ba458ba3fb6d68b92aba0722e0bf80945\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022SIP protocol\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222e5c34aaf569a10cf86a6507ef227e11\u0022, \u0022path_pattern_hash\u0022: \u002254f584808f270c653072560c766be65a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5260, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\\r\\nMax-Forwards: 70\\r\\nCall-ID: 45182d51-\u0022, \u0022method\u0022: \u0022OPTIONS\u0022, \u0022path\u0022: \u0022sip:62.3.50.33\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022OPTIONS sip:62.3.50.33 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\\r\\nMax-Forwards: 70\\r\\nCall-ID: 45182d51-18cf-4ab1-a609-51d86ad052e1\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:62.3.50.33\u003E\\r\\nFrom: \u003Csip:74893980198@192.168.10.173\u003E;tag=40302\\r\\nCSeq: 1 \u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\\r\\nMax-Forwards: 70\\r\\nCall-ID: 45182d51-\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022OPTIONS\u0022, \u0022path\u0022: \u0022sip:62.3.50.33\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022OPTIONS sip:62.3.50.33 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\\r\\nMax-Forwards: 70\\r\\nCall-ID: 45182d51-18cf-4ab1-a609-51d86ad052e1\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:62.3.50.33\u003E\\r\\nFrom: \u003Csip:74893980198@192.168.10.173\u003E;tag=40302\\r\\nCSeq: 1 \u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\\r\\nMax-Forwards: 70\\r\\nCall-ID: 45182d51-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f0fc17961a91f66fec5c90c54d279b8cf2c0be13\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022OPTIONS\u0022, \u0022http_path\u0022: \u0022sip:62.3.50.33\u0022, \u0022request_line\u0022: \u0022OPTIONS sip:62.3.50.33 HTTP\/1.1\u0022, \u0022port\u0022: 5260, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\\r\\nMax-Forwards: 70\\r\\nCall-ID: 45182d51-\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:5260 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 sip:62.3.50.33\u0022, \u0022target_port_label\u0022: \u00225260 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5260, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022OPTIONS\u0022, \u0022http_path\u0022: \u0022sip:62.3.50.33\u0022, \u0022request_line\u0022: \u0022OPTIONS sip:62.3.50.33 HTTP\/1.1\u0022, \u0022port\u0022: 5260, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:5260 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 sip:62.3.50.33\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.173:36568;branch=z9hG4bK-54489\\r\\nMax-Forwards: 70\\r\\nCall-ID: 45182d51-\u0022, \u0022target_port_label\u0022: \u00225260 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225260\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022sip-tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022http_no_ua\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"SIP\/2.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":10,"bytes_in":341},{"id":9588886,"ip":"80.87.206.168","ts":"2026-06-18 15:49:15.000000","proto":"tcp","src_port":58120,"dst_port":5061,"service":"sip-tls","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002215030300020228\u0022, \u0022emulator_response_len\u0022: 7, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 5.031238687058579, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022sip-tls\u0022, \u0022app_proto\u0022: \u0022sip-tls\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5061, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022554e11b9302bdfcd540c45a1cf923952ca5dba5a\u0022, \u0022event_fingerprint\u0022: \u0022023bc9d1c35abdce99228ec210a0d9707a172294\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.67, \u0022classification_confidence\u0022: 0.67, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0578\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0578\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip-tls\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a62803534f5d132040318e69f8c1a439\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5061, \u0022service\u0022: \u0022sip-tls\u0022, \u0022service_name\u0022: \u0022sip-tls\u0022, \u0022risk_score\u0022: 45}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd\u003C\ufffdX\\u0010\ufffd1 \\\u0022\ufffd\ufffd\ufffd;\ufffds\ufffd!S\\u001f_\ufffd\ufffdsp\ufffd\ufffd\u077a\\u0016\ufffd\ufffdk\ufffd\ufffd\\u001d4\ufffd\ufffdm\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd\u003C\ufffdX\\u0010\ufffd1 \\\u0022\ufffd\ufffd\ufffd;\ufffds\ufffd!S\\u001f_\ufffd\ufffdsp\ufffd\ufffd\u077a\\u0016\ufffd\ufffdk\ufffd\ufffd\\u001d4\ufffd\ufffdm\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001\\u0005\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd\u003C\ufffdX\\u0010\ufffd1 \\\u0022\ufffd\ufffd\ufffd;\ufffds\ufffd!S\\u001f_\ufffd\ufffdsp\ufffd\ufffd\u077a\\u0016\ufffd\ufffdk\ufffd\ufffd\\u001d4\ufffd\ufffdm\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eac03306fa76fa62462283f8442757b474a4ba55\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd\u003C\ufffdX\\u0010\ufffd1 \\\u0022\ufffd\ufffd\ufffd;\ufffds\ufffd!S\\u001f_\ufffd\ufffdsp\ufffd\ufffd\u077a\\u0016\ufffd\ufffdk\ufffd\ufffd\\u001d4\ufffd\ufffdm\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022port\u0022: 5061, \u0022service\u0022: \u0022sip-tls\u0022, \u0022service_label_fr\u0022: \u0022SIP TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd\u003C\ufffdX\ufffd1 \\\u0022\ufffd\ufffd\ufffd;\ufffds\ufffd!S_\ufffd\ufffdsp\ufffd\ufffd\u077a\ufffd\ufffdk\ufffd\ufffd4\ufffd\ufffdm\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP TLS:5061 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225061 \u00b7 SIP TLS\u0022, \u0022emulator_service\u0022: \u0022sip-tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 67, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip-tls\u0022, \u0022service_label_fr\u0022: \u0022SIP TLS\u0022, \u0022dst_port\u0022: 5061, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0578\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0578\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd\u003C\ufffdX\\u0010\ufffd1 \\\u0022\ufffd\ufffd\ufffd;\ufffds\ufffd!S\\u001f_\ufffd\ufffdsp\ufffd\ufffd\u077a\\u0016\ufffd\ufffdk\ufffd\ufffd\\u001d4\ufffd\ufffdm\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022port\u0022: 5061, \u0022service\u0022: \u0022sip-tls\u0022, \u0022service_label_fr\u0022: \u0022SIP TLS\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP TLS:5061 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd!\ufffd\ufffdJ\ufffd\ufffdB\ufffd\ufffd;\ufffd\ufffd\ufffd^\u0469\ufffdcr\ufffdJ]\ufffd2\ufffd\ufffd\u003C\ufffdX\ufffd1 \\\u0022\ufffd\ufffd\ufffd;\ufffds\ufffd!S_\ufffd\ufffdsp\ufffd\ufffd\u077a\ufffd\ufffdk\ufffd\ufffd4\ufffd\ufffdm\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00225061 \u00b7 SIP TLS\u0022, \u0022emulator_service\u0022: \u0022sip-tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 67 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip_tls\u0022, \u0022service_banner\u0022: \u0022honeypot-sip-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225061\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_tls_emulated\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_tls_emulated\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":517},{"id":9588875,"ip":"80.87.206.168","ts":"2026-06-18 15:49:01.000000","proto":"tcp","src_port":58084,"dst_port":5061,"service":"sip-tls","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002215030300020228\u0022, \u0022emulator_response_len\u0022: 7, \u0022bytes_in\u0022: 517, \u0022payload_entropy\u0022: 5.074965604166476, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022sip-tls\u0022, \u0022app_proto\u0022: \u0022sip-tls\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5061, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022554e11b9302bdfcd540c45a1cf923952ca5dba5a\u0022, \u0022event_fingerprint\u0022: \u0022023bc9d1c35abdce99228ec210a0d9707a172294\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.67, \u0022classification_confidence\u0022: 0.67, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0578\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0578\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip-tls\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225a79e7242f70e4b79975d9513030e769\u0022, \u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5061, \u0022service\u0022: \u0022sip-tls\u0022, \u0022service_name\u0022: \u0022sip-tls\u0022, \u0022risk_score\u0022: 45}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\\u001f\ufffd\ufffd\\f;\u0168\u0776!IdW\\t4\u03dam ^\ufffd\u2a93\ufffd|\\u0011XnL\ufffd\\u0018EE\u0162\\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\\\u0654\ufffd\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\\u001f\ufffd\ufffd\\f;\u0168\u0776!IdW\\t4\u03dam ^\ufffd\u2a93\ufffd|\\u0011XnL\ufffd\\u0018EE\u0162\\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\\\u0654\ufffd\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\\u0000\/\\u0000A\\u0000\ufffd\\u0001\\u0000\\u0001\\u0005\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\\u001f\ufffd\ufffd\\f;\u0168\u0776!IdW\\t4\u03dam ^\ufffd\u2a93\ufffd|\\u0011XnL\ufffd\\u0018EE\u0162\\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\\\u0654\ufffd\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002270dd78017047af9a1c74444b3ec893f34e5a0bd4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\\u001f\ufffd\ufffd\\f;\u0168\u0776!IdW\\t4\u03dam ^\ufffd\u2a93\ufffd|\\u0011XnL\ufffd\\u0018EE\u0162\\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\\\u0654\ufffd\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022port\u0022: 5061, \u0022service\u0022: \u0022sip-tls\u0022, \u0022service_label_fr\u0022: \u0022SIP TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\ufffd\ufffd;\u0168\u0776!IdW\\t4\u03dam ^\ufffd\u2a93\ufffd|XnL\ufffdEE\u0162\\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\\\u0654\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP TLS:5061 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225061 \u00b7 SIP TLS\u0022, \u0022emulator_service\u0022: \u0022sip-tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 67, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip-tls\u0022, \u0022service_label_fr\u0022: \u0022SIP TLS\u0022, \u0022dst_port\u0022: 5061, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0578\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0578\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0002\\u0000\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\\u001f\ufffd\ufffd\\f;\u0168\u0776!IdW\\t4\u03dam ^\ufffd\u2a93\ufffd|\\u0011XnL\ufffd\\u0018EE\u0162\\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\\\u0654\ufffd\\u0000\ufffd\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022port\u0022: 5061, \u0022service\u0022: \u0022sip-tls\u0022, \u0022service_label_fr\u0022: \u0022SIP TLS\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP TLS:5061 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd-\ufffdn\u0796-\ufffdrD\ufffd\ufffd$u\ufffd\ufffd;\u0168\u0776!IdW\\t4\u03dam ^\ufffd\u2a93\ufffd|XnL\ufffdEE\u0162\\t2\u06dc\ufffd\ufffds\ufffd\ufffd\ufffd0\\\\\u0654\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00225061 \u00b7 SIP TLS\u0022, \u0022emulator_service\u0022: \u0022sip-tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 67 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip_tls\u0022, \u0022service_banner\u0022: \u0022honeypot-sip-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225061\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_tls_emulated\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_tls_emulated\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":517},{"id":9588858,"ip":"80.87.206.168","ts":"2026-06-18 15:48:44.000000","proto":"tcp","src_port":58024,"dst_port":5061,"service":"sip-tls","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 344, \u0022payload_entropy\u0022: 5.401847537013169, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022sip-tls\u0022, \u0022app_proto\u0022: \u0022sip-tls\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5061, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225be3b60591346242b76f64d001171712d237d13a\u0022, \u0022event_fingerprint\u0022: \u0022023bc9d1c35abdce99228ec210a0d9707a172294\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022SIP protocol\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip-tls\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223936247899cbf424715361fa000baae7\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5061, \u0022service\u0022: \u0022sip-tls\u0022, \u0022service_name\u0022: \u0022sip-tls\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\\r\\nMax-Forwards: 70\\r\\nCall-ID: de08cc32\u0022, \u0022request_sample\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\\r\\nMax-Forwards: 70\\r\\nCall-ID: de08cc32-91fc-4cd8-85bb-d4f39e44b5e6\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:94597681696@62.3.50.33\u003E\\r\\nFrom: \u003Csip:94597681696@192.168.10.217\u003E;tag=30\u0022, \u0022payload_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\\r\\nMax-Forwards: 70\\r\\nCall-ID: de08cc32\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\\r\\nMax-Forwards: 70\\r\\nCall-ID: de08cc32-91fc-4cd8-85bb-d4f39e44b5e6\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:94597681696@62.3.50.33\u003E\\r\\nFrom: \u003Csip:94597681696@192.168.10.217\u003E;tag=30\u0022, \u0022payload_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\\r\\nMax-Forwards: 70\\r\\nCall-ID: de08cc32\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022af00c1125c5c1ccec3314a1bdcfd3ca05050bd18\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\\r\\nMax-Forwards: 70\\r\\nCall-ID: de08cc32\u0022, \u0022port\u0022: 5061, \u0022service\u0022: \u0022sip-tls\u0022, \u0022service_label_fr\u0022: \u0022SIP TLS\u0022}, \u0022evidence_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\\r\\nMax-Forwards: 70\\r\\nCall-ID: de08cc32\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via SIP TLS:5061 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225061 \u00b7 SIP TLS\u0022, \u0022emulator_service\u0022: \u0022sip-tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via SIP TLS\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip-tls\u0022, \u0022service_label_fr\u0022: \u0022SIP TLS\u0022, \u0022dst_port\u0022: 5061, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\\r\\nMax-Forwards: 70\\r\\nCall-ID: de08cc32\u0022, \u0022port\u0022: 5061, \u0022service\u0022: \u0022sip-tls\u0022, \u0022service_label_fr\u0022: \u0022SIP TLS\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via SIP TLS:5061 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.217:58024;branch=z9hG4bK-30138\\r\\nMax-Forwards: 70\\r\\nCall-ID: de08cc32\u0022, \u0022target_port_label\u0022: \u00225061 \u00b7 SIP TLS\u0022, \u0022emulator_service\u0022: \u0022sip-tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip_tls\u0022, \u0022service_banner\u0022: \u0022honeypot-sip-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225061\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_tls_emulated\u0022, \u0022sip_voip_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_tls_emulated\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":344},{"id":9588841,"ip":"80.87.206.168","ts":"2026-06-18 15:48:23.000000","proto":"tcp","src_port":57920,"dst_port":5061,"service":"sip-tls","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 338, \u0022payload_entropy\u0022: 5.386744141944372, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022sip-tls\u0022, \u0022app_proto\u0022: \u0022sip-tls\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5061, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225be3b60591346242b76f64d001171712d237d13a\u0022, \u0022event_fingerprint\u0022: \u0022023bc9d1c35abdce99228ec210a0d9707a172294\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022, \u0022pat-0420\u0022, \u0022pat-0535\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022SIP protocol\u0022, \u0022HTTP OPTIONS method\u0022, \u0022SIP OPTIONS\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022, \u0022pat-0420\u0022, \u0022pat-0535\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip-tls\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f0c8b2ad22b8d1c1cd7096c9717e7536\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5061, \u0022service\u0022: \u0022sip-tls\u0022, \u0022service_name\u0022: \u0022sip-tls\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\\r\\nMax-Forwards: 70\\r\\nCall-ID: e8780bc7-3\u0022, \u0022request_sample\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\\r\\nMax-Forwards: 70\\r\\nCall-ID: e8780bc7-3360-412c-af5b-6331e6eab8eb\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:62.3.50.33\u003E\\r\\nFrom: \u003Csip:09512332117@192.168.10.28\u003E;tag=30395\\r\\nCSeq: 1 OP\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\\r\\nMax-Forwards: 70\\r\\nCall-ID: e8780bc7-3\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\\r\\nMax-Forwards: 70\\r\\nCall-ID: e8780bc7-3360-412c-af5b-6331e6eab8eb\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:62.3.50.33\u003E\\r\\nFrom: \u003Csip:09512332117@192.168.10.28\u003E;tag=30395\\r\\nCSeq: 1 OP\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\\r\\nMax-Forwards: 70\\r\\nCall-ID: e8780bc7-3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022763cf44dae6f4433a6aec8ba91dea578459db338\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\\r\\nMax-Forwards: 70\\r\\nCall-ID: e8780bc7-3\u0022, \u0022port\u0022: 5061, \u0022service\u0022: \u0022sip-tls\u0022, \u0022service_label_fr\u0022: \u0022SIP TLS\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\\r\\nMax-Forwards: 70\\r\\nCall-ID: e8780bc7-3\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via SIP TLS:5061 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225061 \u00b7 SIP TLS\u0022, \u0022emulator_service\u0022: \u0022sip-tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via SIP TLS \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip-tls\u0022, \u0022service_label_fr\u0022: \u0022SIP TLS\u0022, \u0022dst_port\u0022: 5061, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\\r\\nMax-Forwards: 70\\r\\nCall-ID: e8780bc7-3\u0022, \u0022port\u0022: 5061, \u0022service\u0022: \u0022sip-tls\u0022, \u0022service_label_fr\u0022: \u0022SIP TLS\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via SIP TLS:5061 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.28:57920;branch=z9hG4bK-54047\\r\\nMax-Forwards: 70\\r\\nCall-ID: e8780bc7-3\u0022, \u0022target_port_label\u0022: \u00225061 \u00b7 SIP TLS\u0022, \u0022emulator_service\u0022: \u0022sip-tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip_tls\u0022, \u0022service_banner\u0022: \u0022honeypot-sip-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225061\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022sip\u0022, \u0022sip-tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_tls_emulated\u0022, \u0022sip_voip_probe\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_tls_emulated\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":338},{"id":9588600,"ip":"80.87.206.168","ts":"2026-06-18 15:43:31.000000","proto":"tcp","src_port":54372,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227ede27279abdf995b4c23aeb42aaef771106fc4d\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d84b353c2e3026305f118e4eda26f551d550f6a6\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022]","anomalies":"[]","severity":5,"bytes_in":0},{"id":9588586,"ip":"80.87.206.168","ts":"2026-06-18 15:43:05.000000","proto":"tcp","src_port":54214,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227ede27279abdf995b4c23aeb42aaef771106fc4d\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d84b353c2e3026305f118e4eda26f551d550f6a6\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022]","anomalies":"[]","severity":5,"bytes_in":0},{"id":9588500,"ip":"80.87.206.168","ts":"2026-06-18 15:41:21.000000","proto":"tcp","src_port":53706,"dst_port":5060,"service":"sip","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 342, \u0022payload_entropy\u0022: 5.317552819273413, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022SIP protocol\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229770ffabe3cebe502299c71f6b61eebb\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\\r\\nMax-Forwards: 70\\r\\nCall-ID: 4311e178-\u0022, \u0022request_sample\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\\r\\nMax-Forwards: 70\\r\\nCall-ID: 4311e178-9b83-4e01-ad84-37d9ac5e70d9\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:38300356813@62.3.50.33\u003E\\r\\nFrom: \u003Csip:38300356813@192.168.10.18\u003E;tag=4460\u0022, \u0022payload_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\\r\\nMax-Forwards: 70\\r\\nCall-ID: 4311e178-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\\r\\nMax-Forwards: 70\\r\\nCall-ID: 4311e178-9b83-4e01-ad84-37d9ac5e70d9\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:38300356813@62.3.50.33\u003E\\r\\nFrom: \u003Csip:38300356813@192.168.10.18\u003E;tag=4460\u0022, \u0022payload_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\\r\\nMax-Forwards: 70\\r\\nCall-ID: 4311e178-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228ac1e4997c1cc2ae84a3ef5430db9ab9cf51c9ae\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\\r\\nMax-Forwards: 70\\r\\nCall-ID: 4311e178-\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\\r\\nMax-Forwards: 70\\r\\nCall-ID: 4311e178-\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via SIP:5060 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via SIP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\\r\\nMax-Forwards: 70\\r\\nCall-ID: 4311e178-\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via SIP:5060 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022REGISTER sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.18:53706;branch=z9hG4bK-52247\\r\\nMax-Forwards: 70\\r\\nCall-ID: 4311e178-\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":342},{"id":9588425,"ip":"80.87.206.168","ts":"2026-06-18 15:40:15.000000","proto":"tcp","src_port":53366,"dst_port":5060,"service":"sip","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 341, \u0022payload_entropy\u0022: 5.371408391016639, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 16276, \u0022country\u0022: \u0022RU\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022, \u0022pat-0420\u0022, \u0022pat-0535\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022SIP protocol\u0022, \u0022HTTP OPTIONS method\u0022, \u0022SIP OPTIONS\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022, \u0022pat-0420\u0022, \u0022pat-0535\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022RU\u0022, \u0022asn\u0022: 16276, \u0022org\u0022: \u0022OVH SAS\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002225c711ea46cee4950d53395bf27203f8\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\\r\\nMax-Forwards: 70\\r\\nCall-ID: 5532ddd2-\u0022, \u0022request_sample\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\\r\\nMax-Forwards: 70\\r\\nCall-ID: 5532ddd2-24d1-462b-839b-d234934e475d\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:62.3.50.33\u003E\\r\\nFrom: \u003Csip:46373851983@192.168.10.142\u003E;tag=32649\\r\\nCSeq: 1 \u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\\r\\nMax-Forwards: 70\\r\\nCall-ID: 5532ddd2-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\\r\\nMax-Forwards: 70\\r\\nCall-ID: 5532ddd2-24d1-462b-839b-d234934e475d\\r\\nContent-Length: 0\\r\\nTo: \u003Csip:62.3.50.33\u003E\\r\\nFrom: \u003Csip:46373851983@192.168.10.142\u003E;tag=32649\\r\\nCSeq: 1 \u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\\r\\nMax-Forwards: 70\\r\\nCall-ID: 5532ddd2-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227b55925860326f375ae0781e1927589a903fc29b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\\r\\nMax-Forwards: 70\\r\\nCall-ID: 5532ddd2-\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\\r\\nMax-Forwards: 70\\r\\nCall-ID: 5532ddd2-\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via SIP:5060 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via SIP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\\r\\nMax-Forwards: 70\\r\\nCall-ID: 5532ddd2-\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via SIP:5060 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:62.3.50.33 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 192.168.10.142:53366;branch=z9hG4bK-25609\\r\\nMax-Forwards: 70\\r\\nCall-ID: 5532ddd2-\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":341}],"total_events":39}