{"ip":"89.248.172.10","exported_at":"2026-07-19T05:50:49+00:00","period_days":1,"metrics":{"events7d":31,"distinct_ports":22,"distinct_classifications":15,"max_severity":8,"last_sensor_id":"paris-1","max_waf_score":16,"max_risk_score":50,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["database_scan"],"recommended_action":"monitor","confidence":0.08,"risk_breakdown":{"waf":8,"classification":55,"behavior":0,"geo":0,"protocol":40,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":21,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 34\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":55,"behavior":0,"geo":0,"protocol":40,"novelty":15,"risk_score":34,"correlation_boost":8},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["multi_protocol_correlation"],"correlation_flags_labels_fr":["Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":8,"confidence_hint_fr":"Corr\u00e9lation +8","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":[],"tags_summary":[],"attack_vector":"cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"GET \/ HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16","port":7000,"service":"cassandra-jmx","service_label_fr":"CASSANDRA JMX"},"protocol_summary_fr":"Payload GET \/ HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Ma\u2026 \u00b7 CASSANDRA JMX:7000","evidence_snippet":"GET \/ HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16","target_port_label":"7000 \u00b7 CASSANDRA JMX","emulator_service":"cassandra-jmx","confidence_reason":"Confiance 0 % \u2014 4 signal(aux) capteur","classification_reason":"Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%","classification_reason_label_fr":"Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%","confidence_factors_fr":"Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8","payload_preview":"GET \/ HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16"},"events":[{"id":12815200,"ip":"89.248.172.10","ts":"2026-07-18 23:10:13.000000","proto":"tcp","src_port":12299,"dst_port":7000,"service":"cassandra-jmx","classification":"cassandra_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00224f4b0d0a\u0022, \u0022emulator_response_len\u0022: 4, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022app_proto\u0022: \u0022cassandra-jmx\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 7000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 55.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 55.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229af8e61ef8693591e01ecf481399aa2f40e5f5d2\u0022, \u0022event_fingerprint\u0022: \u00220515a90696fafcab67973d1c4c56caf19b56703e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.08, \u0022classification_confidence\u0022: 0.08, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 55.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022cassandra-jmx\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00224ab235198c4b31da3311b42124ef3494\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7000, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022service_name\u0022: \u0022cassandra-jmx\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cc87dba7bd8c5a064669a26e478df05829ebf2b4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 7000, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA JMX\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227000 \u00b7 CASSANDRA JMX\u0022, \u0022emulator_service\u0022: \u0022cassandra-jmx\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 8, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 55.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022cassandra-jmx\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA JMX\u0022, \u0022dst_port\u0022: 7000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-cassandra-jmx\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 7000, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA JMX\u0022}, \u0022attack_vector\u0022: \u0022cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00227000 \u00b7 CASSANDRA JMX\u0022, \u0022emulator_service\u0022: \u0022cassandra-jmx\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022cassandra_jmx\u0022, \u0022service_banner\u0022: \u0022honeypot-cassandra-jmx\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022cassandra-jmx\u0022, \u0022nomad-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022cassandra_emulated\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_cassandra_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022cassandra_emulated\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_cassandra_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":213},{"id":12815186,"ip":"89.248.172.10","ts":"2026-07-18 23:09:51.000000","proto":"tcp","src_port":60000,"dst_port":4001,"service":"nomad-http","classification":"consul_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022nomad-http\u0022, \u0022app_proto\u0022: \u0022nomad-http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 4001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002275dbabad1b7f9b92515b56b97b09cfeb4f9b9316\u0022, \u0022event_fingerprint\u0022: \u0022ea33d941311f2d31d6aa1a1459ed41db704f3413\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab consul_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 32}, \u0022service_name\u0022: \u0022nomad-http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u0022903d4a7efff645522f88fc15d7a1b2c2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4001, \u0022service\u0022: \u0022nomad-http\u0022, \u0022service_name\u0022: \u0022nomad-http\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab consul_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022cloud_infra_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e144446f9589f0a26e1c8b3a54b6f9072e22e424\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 4001, \u0022service\u0022: \u0022nomad-http\u0022, \u0022service_label_fr\u0022: \u0022NOMAD HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022consul probe \u00b7 via NOMAD HTTP:4001 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224001 \u00b7 NOMAD HTTP\u0022, \u0022emulator_service\u0022: \u0022nomad-http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab consul_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab consul_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022nomad-http\u0022, \u0022service_label_fr\u0022: \u0022NOMAD HTTP\u0022, \u0022dst_port\u0022: 4001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-nomad-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 4001, \u0022service\u0022: \u0022nomad-http\u0022, \u0022service_label_fr\u0022: \u0022NOMAD HTTP\u0022}, \u0022attack_vector\u0022: \u0022consul probe \u00b7 via NOMAD HTTP:4001 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00224001 \u00b7 NOMAD HTTP\u0022, \u0022emulator_service\u0022: \u0022nomad-http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022nomad_http\u0022, \u0022service_banner\u0022: \u0022honeypot-nomad-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_consul_probe\u0022, \u0022nomad_http_emulated\u0022, \u0022nomad_http_payload\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_consul_probe\u0022, \u0022nomad_http_emulated\u0022, \u0022nomad_http_payload\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":372},{"id":12814115,"ip":"89.248.172.10","ts":"2026-07-18 22:52:10.000000","proto":"tcp","src_port":60000,"dst_port":6501,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 13, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 6501, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228fbe833b1f4e0980c0ae8246615ed1fe444418ce\u0022, \u0022event_fingerprint\u0022: \u002234fc7c7640df2a72a041ccedd32433754d4359da\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6501, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e8f1d877d93f024444a494d6da7e6fa8eb7351c2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 6501, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:6501 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226501 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6501, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 6501, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:6501 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226501 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226501\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"18e9afaf91db6f8a2470e7435c2a1d6b","tls_ja3":"770,49162-49172-57-107-53-61-49159-49161-49187-49169-49171-49191-51-103-50-5-4-47-60-10,61184-65281-10-11-35-13172-30031-5,23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":372},{"id":12791026,"ip":"89.248.172.10","ts":"2026-07-18 16:52:20.000000","proto":"tcp","src_port":60000,"dst_port":1701,"service":"l2tp","classification":"l2tp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022c802007500080000000000000000\u0022, \u0022emulator_response_len\u0022: 14, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022l2tp\u0022, \u0022app_proto\u0022: \u0022l2tp\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 1701, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229b354bccbc952bcd92361fcdfe1fd852fa891843\u0022, \u0022event_fingerprint\u0022: \u00220f250c2c21cdddb93e518a807fadce942f8b008f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab l2tp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022l2tp\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u0022e0cbaa420d1e263af517ba2fd511b7ae\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1701, \u0022service\u0022: \u0022l2tp\u0022, \u0022service_name\u0022: \u0022l2tp\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab l2tp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a8809b232b089121a44eaf3cb6695c6224ffbdb5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 1701, \u0022service\u0022: \u0022l2tp\u0022, \u0022service_label_fr\u0022: \u0022L2TP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022l2tp probe \u00b7 via L2TP:1701 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221701 \u00b7 L2TP\u0022, \u0022emulator_service\u0022: \u0022l2tp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab l2tp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab l2tp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022l2tp\u0022, \u0022service_label_fr\u0022: \u0022L2TP\u0022, \u0022dst_port\u0022: 1701, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-l2tp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 1701, \u0022service\u0022: \u0022l2tp\u0022, \u0022service_label_fr\u0022: \u0022L2TP\u0022}, \u0022attack_vector\u0022: \u0022l2tp probe \u00b7 via L2TP:1701 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00221701 \u00b7 L2TP\u0022, \u0022emulator_service\u0022: \u0022l2tp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022l2tp\u0022, \u0022service_banner\u0022: \u0022honeypot-l2tp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221701\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022l2tp_emulated\u0022, \u0022l2tp_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_l2tp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022l2tp_emulated\u0022, \u0022l2tp_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_l2tp_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":213},{"id":12785982,"ip":"89.248.172.10","ts":"2026-07-18 15:14:34.000000","proto":"tcp","src_port":60000,"dst_port":8081,"service":"http-alt-8081","classification":"http-alt-8081","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022http-alt-8081\u0022, \u0022app_proto\u0022: \u0022http-alt-8081\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022929e68b705f9838a7da7b1cddb73ebe75654e59f\u0022, \u0022event_fingerprint\u0022: \u00221023f61ccc055c445b71c912dbddfda91b08657e\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022http-alt-8081\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u0022721fec86c34b7fdcb2df85c882e6db0e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http-alt-8081\u0022, \u0022service_name\u0022: \u0022http-alt-8081\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224348dfaad62e1a348df9814cf85b6157fd5ee121\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http-alt-8081\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8081\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022http-alt-8081 \u00b7 via HTTP ALT 8081:8081 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP ALT 8081\u0022, \u0022emulator_service\u0022: \u0022http-alt-8081\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http-alt-8081\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8081\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http-alt-8081\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http-alt-8081\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8081\u0022}, \u0022attack_vector\u0022: \u0022http-alt-8081 \u00b7 via HTTP ALT 8081:8081 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP ALT 8081\u0022, \u0022emulator_service\u0022: \u0022http-alt-8081\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http_alt_8081\u0022, \u0022service_banner\u0022: \u0022honeypot-http-alt-8081\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":372},{"id":12785400,"ip":"89.248.172.10","ts":"2026-07-18 15:03:52.000000","proto":"tcp","src_port":60000,"dst_port":8081,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002239b1f0ffae6bc4a4f6615bb6049d12fbf7523f23\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002291641af73e5a2129931417917b9efcb79fd24137\u0022, \u0022event_fingerprint\u0022: \u0022e655cce1d5fb43c4d97a30acd0b655feb29cad21\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022951aeae5c86a184c4c5e3c7911f59e84\u0022, \u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222be3523007a52242c99bbbb74c21da4e29db92a5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":213},{"id":12779514,"ip":"89.248.172.10","ts":"2026-07-18 13:29:27.000000","proto":"tcp","src_port":60000,"dst_port":7000,"service":"cassandra-jmx","classification":"cassandra_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00224f4b0d0a\u0022, \u0022emulator_response_len\u0022: 4, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022app_proto\u0022: \u0022cassandra-jmx\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 7000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 55.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 55.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226a68dd2ceaa4aea89c41affaca7dcccdf8010026\u0022, \u0022event_fingerprint\u0022: \u00220515a90696fafcab67973d1c4c56caf19b56703e\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 55.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022cassandra-jmx\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00224ab235198c4b31da3311b42124ef3494\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7000, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022service_name\u0022: \u0022cassandra-jmx\u0022, \u0022risk_score\u0022: 45}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c11544b4b504626a43c65794203222497e878d8b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 7000, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA JMX\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227000 \u00b7 CASSANDRA JMX\u0022, \u0022emulator_service\u0022: \u0022cassandra-jmx\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 55.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022cassandra-jmx\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA JMX\u0022, \u0022dst_port\u0022: 7000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-cassandra-jmx\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 7000, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA JMX\u0022}, \u0022attack_vector\u0022: \u0022cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00227000 \u00b7 CASSANDRA JMX\u0022, \u0022emulator_service\u0022: \u0022cassandra-jmx\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022cassandra_jmx\u0022, \u0022service_banner\u0022: \u0022honeypot-cassandra-jmx\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022cassandra_emulated\u0022, \u0022net_cassandra_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022cassandra_emulated\u0022, \u0022net_cassandra_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":372},{"id":12776792,"ip":"89.248.172.10","ts":"2026-07-18 12:54:44.000000","proto":"tcp","src_port":60000,"dst_port":83,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002239b1f0ffae6bc4a4f6615bb6049d12fbf7523f23\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 83, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e79c3b9f0e171e5742032cee6fda57ed4e33ba10\u0022, \u0022event_fingerprint\u0022: \u00223e93ac27e27b651526bf414bb288df0a0f93c160\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022951aeae5c86a184c4c5e3c7911f59e84\u0022, \u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 83, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dca8650bd27ecd247a54d8739216548659c85f8c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 83, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:83 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002283 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 83, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 83, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:83 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u002283 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002283\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":213},{"id":12742783,"ip":"89.248.172.10","ts":"2026-07-18 09:35:01.000000","proto":"tcp","src_port":60000,"dst_port":50,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 13, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 50, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002219f39c643c49d9b8e890b83b0bd46ab4a4d0a99c\u0022, \u0022event_fingerprint\u0022: \u00222ebdc7a432b3804de8230b794c069a92e85e35a7\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 50, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022197e628e7e630eeffc6ba57df8a8d17dca098750\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 50, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:50 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002250 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 50, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 50, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:50 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u002250 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002250\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"18e9afaf91db6f8a2470e7435c2a1d6b","tls_ja3":"770,49162-49172-57-107-53-61-49159-49161-49187-49169-49171-49191-51-103-50-5-4-47-60-10,61184-65281-10-11-35-13172-30031-5,23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":372}],"total_events":9}