{"ip":"89.248.172.10","exported_at":"2026-07-19T05:43:12+00:00","period_days":7,"metrics":{"events7d":31,"distinct_ports":22,"distinct_classifications":15,"max_severity":8,"last_sensor_id":"paris-1","max_waf_score":16,"max_risk_score":50,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["database_scan"],"recommended_action":"monitor","confidence":0.08,"risk_breakdown":{"waf":8,"classification":55,"behavior":0,"geo":0,"protocol":40,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":21,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 34\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":55,"behavior":0,"geo":0,"protocol":40,"novelty":15,"risk_score":34,"correlation_boost":8},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["multi_protocol_correlation"],"correlation_flags_labels_fr":["Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":8,"confidence_hint_fr":"Corr\u00e9lation +8","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":[],"tags_summary":[],"attack_vector":"cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"GET \/ HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16","port":7000,"service":"cassandra-jmx","service_label_fr":"CASSANDRA JMX"},"protocol_summary_fr":"Payload GET \/ HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Ma\u2026 \u00b7 CASSANDRA JMX:7000","evidence_snippet":"GET \/ HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16","target_port_label":"7000 \u00b7 CASSANDRA JMX","emulator_service":"cassandra-jmx","confidence_reason":"Confiance 0 % \u2014 4 signal(aux) capteur","classification_reason":"Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%","classification_reason_label_fr":"Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%","confidence_factors_fr":"Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8","payload_preview":"GET \/ HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16"},"events":[{"id":12815200,"ip":"89.248.172.10","ts":"2026-07-18 23:10:13.000000","proto":"tcp","src_port":12299,"dst_port":7000,"service":"cassandra-jmx","classification":"cassandra_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00224f4b0d0a\u0022, \u0022emulator_response_len\u0022: 4, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022app_proto\u0022: \u0022cassandra-jmx\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 7000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 55.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 55.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229af8e61ef8693591e01ecf481399aa2f40e5f5d2\u0022, \u0022event_fingerprint\u0022: \u00220515a90696fafcab67973d1c4c56caf19b56703e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.08, \u0022classification_confidence\u0022: 0.08, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 55.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022cassandra-jmx\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00224ab235198c4b31da3311b42124ef3494\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7000, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022service_name\u0022: \u0022cassandra-jmx\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cc87dba7bd8c5a064669a26e478df05829ebf2b4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 7000, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA JMX\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227000 \u00b7 CASSANDRA JMX\u0022, \u0022emulator_service\u0022: \u0022cassandra-jmx\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 8, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 55.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022cassandra-jmx\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA JMX\u0022, \u0022dst_port\u0022: 7000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-cassandra-jmx\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 7000, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA JMX\u0022}, \u0022attack_vector\u0022: \u0022cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00227000 \u00b7 CASSANDRA JMX\u0022, \u0022emulator_service\u0022: \u0022cassandra-jmx\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 4 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022cassandra_jmx\u0022, \u0022service_banner\u0022: \u0022honeypot-cassandra-jmx\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022cassandra-jmx\u0022, \u0022nomad-http\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022cassandra_emulated\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_cassandra_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022cassandra_emulated\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_cassandra_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":213},{"id":12815186,"ip":"89.248.172.10","ts":"2026-07-18 23:09:51.000000","proto":"tcp","src_port":60000,"dst_port":4001,"service":"nomad-http","classification":"consul_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022nomad-http\u0022, \u0022app_proto\u0022: \u0022nomad-http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 4001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002275dbabad1b7f9b92515b56b97b09cfeb4f9b9316\u0022, \u0022event_fingerprint\u0022: \u0022ea33d941311f2d31d6aa1a1459ed41db704f3413\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab consul_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 32}, \u0022service_name\u0022: \u0022nomad-http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u0022903d4a7efff645522f88fc15d7a1b2c2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4001, \u0022service\u0022: \u0022nomad-http\u0022, \u0022service_name\u0022: \u0022nomad-http\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab consul_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022cloud_infra_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e144446f9589f0a26e1c8b3a54b6f9072e22e424\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 4001, \u0022service\u0022: \u0022nomad-http\u0022, \u0022service_label_fr\u0022: \u0022NOMAD HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022consul probe \u00b7 via NOMAD HTTP:4001 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00224001 \u00b7 NOMAD HTTP\u0022, \u0022emulator_service\u0022: \u0022nomad-http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab consul_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab consul_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022nomad-http\u0022, \u0022service_label_fr\u0022: \u0022NOMAD HTTP\u0022, \u0022dst_port\u0022: 4001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-nomad-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 4001, \u0022service\u0022: \u0022nomad-http\u0022, \u0022service_label_fr\u0022: \u0022NOMAD HTTP\u0022}, \u0022attack_vector\u0022: \u0022consul probe \u00b7 via NOMAD HTTP:4001 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00224001 \u00b7 NOMAD HTTP\u0022, \u0022emulator_service\u0022: \u0022nomad-http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022nomad_http\u0022, \u0022service_banner\u0022: \u0022honeypot-nomad-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_consul_probe\u0022, \u0022nomad_http_emulated\u0022, \u0022nomad_http_payload\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_consul_probe\u0022, \u0022nomad_http_emulated\u0022, \u0022nomad_http_payload\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":372},{"id":12814115,"ip":"89.248.172.10","ts":"2026-07-18 22:52:10.000000","proto":"tcp","src_port":60000,"dst_port":6501,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 13, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 6501, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228fbe833b1f4e0980c0ae8246615ed1fe444418ce\u0022, \u0022event_fingerprint\u0022: \u002234fc7c7640df2a72a041ccedd32433754d4359da\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6501, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e8f1d877d93f024444a494d6da7e6fa8eb7351c2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 6501, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:6501 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226501 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 6501, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 6501, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:6501 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00226501 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226501\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"18e9afaf91db6f8a2470e7435c2a1d6b","tls_ja3":"770,49162-49172-57-107-53-61-49159-49161-49187-49169-49171-49191-51-103-50-5-4-47-60-10,61184-65281-10-11-35-13172-30031-5,23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":372},{"id":12791026,"ip":"89.248.172.10","ts":"2026-07-18 16:52:20.000000","proto":"tcp","src_port":60000,"dst_port":1701,"service":"l2tp","classification":"l2tp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022c802007500080000000000000000\u0022, \u0022emulator_response_len\u0022: 14, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022l2tp\u0022, \u0022app_proto\u0022: \u0022l2tp\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 1701, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 6.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229b354bccbc952bcd92361fcdfe1fd852fa891843\u0022, \u0022event_fingerprint\u0022: \u00220f250c2c21cdddb93e518a807fadce942f8b008f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab l2tp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022l2tp\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u0022e0cbaa420d1e263af517ba2fd511b7ae\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1701, \u0022service\u0022: \u0022l2tp\u0022, \u0022service_name\u0022: \u0022l2tp\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab l2tp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a8809b232b089121a44eaf3cb6695c6224ffbdb5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 1701, \u0022service\u0022: \u0022l2tp\u0022, \u0022service_label_fr\u0022: \u0022L2TP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022l2tp probe \u00b7 via L2TP:1701 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221701 \u00b7 L2TP\u0022, \u0022emulator_service\u0022: \u0022l2tp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab l2tp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab l2tp_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022l2tp\u0022, \u0022service_label_fr\u0022: \u0022L2TP\u0022, \u0022dst_port\u0022: 1701, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-l2tp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 1701, \u0022service\u0022: \u0022l2tp\u0022, \u0022service_label_fr\u0022: \u0022L2TP\u0022}, \u0022attack_vector\u0022: \u0022l2tp probe \u00b7 via L2TP:1701 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00221701 \u00b7 L2TP\u0022, \u0022emulator_service\u0022: \u0022l2tp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022l2tp\u0022, \u0022service_banner\u0022: \u0022honeypot-l2tp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221701\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022l2tp_emulated\u0022, \u0022l2tp_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_l2tp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022l2tp_emulated\u0022, \u0022l2tp_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_l2tp_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":213},{"id":12785982,"ip":"89.248.172.10","ts":"2026-07-18 15:14:34.000000","proto":"tcp","src_port":60000,"dst_port":8081,"service":"http-alt-8081","classification":"http-alt-8081","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022http-alt-8081\u0022, \u0022app_proto\u0022: \u0022http-alt-8081\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 24.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022929e68b705f9838a7da7b1cddb73ebe75654e59f\u0022, \u0022event_fingerprint\u0022: \u00221023f61ccc055c445b71c912dbddfda91b08657e\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022http-alt-8081\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u0022721fec86c34b7fdcb2df85c882e6db0e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http-alt-8081\u0022, \u0022service_name\u0022: \u0022http-alt-8081\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224348dfaad62e1a348df9814cf85b6157fd5ee121\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http-alt-8081\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8081\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022http-alt-8081 \u00b7 via HTTP ALT 8081:8081 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP ALT 8081\u0022, \u0022emulator_service\u0022: \u0022http-alt-8081\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http-alt-8081 \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 24.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http-alt-8081\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8081\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http-alt-8081\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http-alt-8081\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8081\u0022}, \u0022attack_vector\u0022: \u0022http-alt-8081 \u00b7 via HTTP ALT 8081:8081 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP ALT 8081\u0022, \u0022emulator_service\u0022: \u0022http-alt-8081\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http_alt_8081\u0022, \u0022service_banner\u0022: \u0022honeypot-http-alt-8081\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":372},{"id":12785400,"ip":"89.248.172.10","ts":"2026-07-18 15:03:52.000000","proto":"tcp","src_port":60000,"dst_port":8081,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002239b1f0ffae6bc4a4f6615bb6049d12fbf7523f23\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 8081, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002291641af73e5a2129931417917b9efcb79fd24137\u0022, \u0022event_fingerprint\u0022: \u0022e655cce1d5fb43c4d97a30acd0b655feb29cad21\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022951aeae5c86a184c4c5e3c7911f59e84\u0022, \u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222be3523007a52242c99bbbb74c21da4e29db92a5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8081, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 8081, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:8081 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00228081 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228081\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":213},{"id":12779514,"ip":"89.248.172.10","ts":"2026-07-18 13:29:27.000000","proto":"tcp","src_port":60000,"dst_port":7000,"service":"cassandra-jmx","classification":"cassandra_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00224f4b0d0a\u0022, \u0022emulator_response_len\u0022: 4, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022app_proto\u0022: \u0022cassandra-jmx\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 7000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 55.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 55.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226a68dd2ceaa4aea89c41affaca7dcccdf8010026\u0022, \u0022event_fingerprint\u0022: \u00220515a90696fafcab67973d1c4c56caf19b56703e\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 55.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022cassandra-jmx\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00224ab235198c4b31da3311b42124ef3494\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7000, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022service_name\u0022: \u0022cassandra-jmx\u0022, \u0022risk_score\u0022: 45}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c11544b4b504626a43c65794203222497e878d8b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 7000, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA JMX\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00227000 \u00b7 CASSANDRA JMX\u0022, \u0022emulator_service\u0022: \u0022cassandra-jmx\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 55.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022cassandra-jmx\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA JMX\u0022, \u0022dst_port\u0022: 7000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-cassandra-jmx\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 7000, \u0022service\u0022: \u0022cassandra-jmx\u0022, \u0022service_label_fr\u0022: \u0022CASSANDRA JMX\u0022}, \u0022attack_vector\u0022: \u0022cassandra probe \u00b7 via CASSANDRA JMX:7000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00227000 \u00b7 CASSANDRA JMX\u0022, \u0022emulator_service\u0022: \u0022cassandra-jmx\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022cassandra_jmx\u0022, \u0022service_banner\u0022: \u0022honeypot-cassandra-jmx\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022cassandra_emulated\u0022, \u0022net_cassandra_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022cassandra_emulated\u0022, \u0022net_cassandra_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":372},{"id":12776792,"ip":"89.248.172.10","ts":"2026-07-18 12:54:44.000000","proto":"tcp","src_port":60000,"dst_port":83,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002239b1f0ffae6bc4a4f6615bb6049d12fbf7523f23\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 83, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e79c3b9f0e171e5742032cee6fda57ed4e33ba10\u0022, \u0022event_fingerprint\u0022: \u00223e93ac27e27b651526bf414bb288df0a0f93c160\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022951aeae5c86a184c4c5e3c7911f59e84\u0022, \u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 83, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dca8650bd27ecd247a54d8739216548659c85f8c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 83, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:83 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002283 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 83, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 83, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:83 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u002283 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002283\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":213},{"id":12742783,"ip":"89.248.172.10","ts":"2026-07-18 09:35:01.000000","proto":"tcp","src_port":60000,"dst_port":50,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 13, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 50, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002219f39c643c49d9b8e890b83b0bd46ab4a4d0a99c\u0022, \u0022event_fingerprint\u0022: \u00222ebdc7a432b3804de8230b794c069a92e85e35a7\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 50, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022197e628e7e630eeffc6ba57df8a8d17dca098750\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 50, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:50 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002250 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 50, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 50, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:50 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u002250 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002250\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"18e9afaf91db6f8a2470e7435c2a1d6b","tls_ja3":"770,49162-49172-57-107-53-61-49159-49161-49187-49169-49171-49191-51-103-50-5-4-47-60-10,61184-65281-10-11-35-13172-30031-5,23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":372},{"id":12708326,"ip":"89.248.172.10","ts":"2026-07-18 01:30:53.000000","proto":"tcp","src_port":60000,"dst_port":9001,"service":"tor-or","classification":"tor_exit_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022030000000000000000\u0022, \u0022emulator_response_len\u0022: 9, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022tor-or\u0022, \u0022app_proto\u0022: \u0022tor-or\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 9001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d967b0275d13a566643f776c2f2ca13b50a86244\u0022, \u0022event_fingerprint\u0022: \u00222bc74a66a243c40126697f519e65200a159d147e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%\u0022, \u0022confidence\u0022: 0.46, \u0022classification_confidence\u0022: 0.46, \u0022precision_score\u0022: 55, \u0022precision_signals\u0022: [\u0022INT-TOR-exit-hint\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-TOR-exit-hint\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tor-or\u0022, \u0022risk_confidence_factor\u0022: 46.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u0022d2d40d620e587c49ef0af866b893b1d5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9001, \u0022service\u0022: \u0022tor-or\u0022, \u0022service_name\u0022: \u0022tor-or\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022botnet\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a4dbd1694e0e3ef4f8c36d5e0520e2ab58aab338\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 9001, \u0022service\u0022: \u0022tor-or\u0022, \u0022service_label_fr\u0022: \u0022TOR OR\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via TOR OR:9001 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u00229001 \u00b7 TOR OR\u0022, \u0022emulator_service\u0022: \u0022tor-or\u0022, \u0022confidence_reason\u0022: \u0022Confiance 46 % \u2014 6 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0011 \u2014 confiance 46 % \u2014 via TOR OR\u0022, \u0022confidence_pct\u0022: 46, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022tor-or\u0022, \u0022service_label_fr\u0022: \u0022TOR OR\u0022, \u0022dst_port\u0022: 9001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-TOR-exit-hint\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Tor Exit Hint\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tor-or\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 9001, \u0022service\u0022: \u0022tor-or\u0022, \u0022service_label_fr\u0022: \u0022TOR OR\u0022}, \u0022attack_vector\u0022: \u0022tor exit probe \u00b7 via TOR OR:9001 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00229001 \u00b7 TOR OR\u0022, \u0022emulator_service\u0022: \u0022tor-or\u0022, \u0022confidence_reason\u0022: \u0022Confiance 46 % \u2014 6 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 46 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tor_or\u0022, \u0022service_banner\u0022: \u0022honeypot-tor-or\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_tor_probe\u0022, \u0022tor_exit_probe\u0022, \u0022tor_or_emulated\u0022, \u0022tor_or_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_tor_probe\u0022, \u0022tor_exit_probe\u0022, \u0022tor_or_emulated\u0022, \u0022tor_or_payload\u0022]","anomalies":"[]","severity":7,"bytes_in":213},{"id":12663919,"ip":"89.248.172.10","ts":"2026-07-17 14:03:35.000000","proto":"tcp","src_port":60000,"dst_port":1194,"service":"openvpn","classification":"openvpn_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022380000000000000000\u0022, \u0022emulator_response_len\u0022: 9, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022openvpn\u0022, \u0022app_proto\u0022: \u0022openvpn\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 1194, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 46.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 46.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ea291ae0e8b639ab856b1e8b6249cd430dcefc7a\u0022, \u0022event_fingerprint\u0022: \u00223a7ecaf9104d633c1b2b6cfa11ec7d30d1b69370\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 131, \u0022precision_signals\u0022: [\u0022INT-openvpn_pkt\u0022, \u0022INT-VPN-openvpn-pkt\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-openvpn_pkt\u0022, \u0022INT-VPN-openvpn-pkt\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 46.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022openvpn\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00226c07e36460e62c833d0e82829ad833da\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1194, \u0022service\u0022: \u0022openvpn\u0022, \u0022service_name\u0022: \u0022openvpn\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022977d202256a5fac31fadb43f61512c712b6b61d8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 1194, \u0022service\u0022: \u0022openvpn\u0022, \u0022service_label_fr\u0022: \u0022OPENVPN\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221194 \u00b7 OPENVPN\u0022, \u0022emulator_service\u0022: \u0022openvpn\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via OPENVPN\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 46.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022openvpn\u0022, \u0022service_label_fr\u0022: \u0022OPENVPN\u0022, \u0022dst_port\u0022: 1194, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-openvpn_pkt\u0022, \u0022INT-VPN-openvpn-pkt\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Openvpn Pkt\u0022, \u0022Vpn Openvpn Pkt\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-openvpn\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 1194, \u0022service\u0022: \u0022openvpn\u0022, \u0022service_label_fr\u0022: \u0022OPENVPN\u0022}, \u0022attack_vector\u0022: \u0022openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00221194 \u00b7 OPENVPN\u0022, \u0022emulator_service\u0022: \u0022openvpn\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022openvpn\u0022, \u0022service_banner\u0022: \u0022honeypot-openvpn\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221194\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_openvpn_probe\u0022, \u0022openvpn_emulated\u0022, \u0022wireguard_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_openvpn_probe\u0022, \u0022openvpn_emulated\u0022, \u0022wireguard_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":213},{"id":12652268,"ip":"89.248.172.10","ts":"2026-07-17 10:12:57.000000","proto":"tcp","src_port":60000,"dst_port":1707,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002239b1f0ffae6bc4a4f6615bb6049d12fbf7523f23\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 1707, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223c0665954444ace42bc84e644b2e17ae6d732062\u0022, \u0022event_fingerprint\u0022: \u00226cc33ac46317dcb0632f01320569e7af782b09fa\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 43}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022951aeae5c86a184c4c5e3c7911f59e84\u0022, \u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1707, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e75dc3cc5a5685cee24b4d31fd15ecedf6f47268\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 1707, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:1707 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221707 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 43}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 43, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1707, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 1707, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:1707 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00221707 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221707\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":213},{"id":12648322,"ip":"89.248.172.10","ts":"2026-07-17 08:39:36.000000","proto":"tcp","src_port":60000,"dst_port":5000,"service":"flask-http","classification":"stun_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c\u0022, \u0022emulator_response_len\u0022: 158, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022flask-http\u0022, \u0022app_proto\u0022: \u0022flask-http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 5000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002201e979bab5cff3658f796a53a85df7f28227702e\u0022, \u0022event_fingerprint\u0022: \u0022ca12ac856c9aabb53943b247ec13e1d2f927b610\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab stun_probe \u00bb (signaux protocolaires) \u00b7 confiance 44%\u0022, \u0022confidence\u0022: 0.44, \u0022classification_confidence\u0022: 0.44, \u0022precision_score\u0022: 52, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0771\u0022], \u0022matched_patterns\u0022: [\u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022flask-http\u0022, \u0022risk_confidence_factor\u0022: 44.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00222209b46920c1113b64f1b7d3129712ba\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5000, \u0022service\u0022: \u0022flask-http\u0022, \u0022service_name\u0022: \u0022flask-http\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab stun_probe \u00bb (signaux protocolaires) \u00b7 confiance 44%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cc70bce18027ec6bd377b4e08a4d148fd874eed4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 5000, \u0022service\u0022: \u0022flask-http\u0022, \u0022service_label_fr\u0022: \u0022FLASK HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022stun probe \u00b7 via FLASK HTTP:5000 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225000 \u00b7 FLASK HTTP\u0022, \u0022emulator_service\u0022: \u0022flask-http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 44 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab stun_probe \u00bb (signaux protocolaires) \u00b7 confiance 44%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab stun_probe \u00bb (signaux protocolaires) \u00b7 confiance 44%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 44, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022flask-http\u0022, \u0022service_label_fr\u0022: \u0022FLASK HTTP\u0022, \u0022dst_port\u0022: 5000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-flask-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 5000, \u0022service\u0022: \u0022flask-http\u0022, \u0022service_label_fr\u0022: \u0022FLASK HTTP\u0022}, \u0022attack_vector\u0022: \u0022stun probe \u00b7 via FLASK HTTP:5000 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00225000 \u00b7 FLASK HTTP\u0022, \u0022emulator_service\u0022: \u0022flask-http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 44 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 44 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022flask_http\u0022, \u0022service_banner\u0022: \u0022honeypot-flask-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022flask_http_emulated\u0022, \u0022net_web_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022flask_http_emulated\u0022, \u0022net_web_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":372},{"id":12646055,"ip":"89.248.172.10","ts":"2026-07-17 07:42:56.000000","proto":"tcp","src_port":60000,"dst_port":1433,"service":"mssql","classification":"mssql_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002237051d253c792a703ef86a951fdecd81bbfe50e9\u0022, \u0022event_fingerprint\u0022: \u00226e104f6072c052d0dd22893d2f1fa140642f7c7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 32}, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00226d4ca317e1154f7afb07772c79279a04\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a913b07b8741735c6900fb285a635d476f917997\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022mssql probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022net_mssql_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022net_mssql_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":6,"bytes_in":372},{"id":12621164,"ip":"89.248.172.10","ts":"2026-07-17 05:45:48.000000","proto":"tcp","src_port":60000,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4456c11bb207fc83a21f6a530e37cb56baf9f93\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223ab8b973f9c4ca3cb4437ef10fecc7fd073c6770\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":372},{"id":12616872,"ip":"89.248.172.10","ts":"2026-07-17 04:02:45.000000","proto":"tcp","src_port":60000,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227ede27279abdf995b4c23aeb42aaef771106fc4d\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d84b353c2e3026305f118e4eda26f551d550f6a6\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022]","anomalies":"[]","severity":5,"bytes_in":0},{"id":12614690,"ip":"89.248.172.10","ts":"2026-07-17 03:01:52.000000","proto":"tcp","src_port":60000,"dst_port":1433,"service":"mssql","classification":"mssql_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 46.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 46.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 30, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f93adaca9f40880298f96a6f0f3e4baf34caa9e9\u0022, \u0022event_fingerprint\u0022: \u00226e104f6072c052d0dd22893d2f1fa140642f7c7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 46.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 30}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00226d4ca317e1154f7afb07772c79279a04\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 30}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a428499b9473e4b39f3cd4f84447a3392f5bf7d5\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022mssql probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 5 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 30\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 46.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 30}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 30, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 5 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022net_mssql_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022net_mssql_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":213},{"id":12606317,"ip":"89.248.172.10","ts":"2026-07-16 23:09:16.000000","proto":"tcp","src_port":60000,"dst_port":5200,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 13, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 5200, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fceae235d2c0a3b07a13d893bdc626ae93393213\u0022, \u0022event_fingerprint\u0022: \u00228f3997ffd2f65a3b91cda730ed2985867d0270fe\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5200, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b5b4e49cb2cc79c5abebdba1de2985859360ae81\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 5200, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5200 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225200 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 5200, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 5200, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5200 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00225200 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225200\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"18e9afaf91db6f8a2470e7435c2a1d6b","tls_ja3":"770,49162-49172-57-107-53-61-49159-49161-49187-49169-49171-49191-51-103-50-5-4-47-60-10,61184-65281-10-11-35-13172-30031-5,23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":372},{"id":12557410,"ip":"89.248.172.10","ts":"2026-07-16 20:25:28.000000","proto":"tcp","src_port":60000,"dst_port":5757,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002239b1f0ffae6bc4a4f6615bb6049d12fbf7523f23\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 5757, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002212ce8e507d473eb4a4aa94b272f0e38cf0041101\u0022, \u0022event_fingerprint\u0022: \u00222c40738fcae3f1f447fcfe206122348527c5fa18\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022951aeae5c86a184c4c5e3c7911f59e84\u0022, \u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5757, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b49722d3dfd6971a993d7cd7e6a3a3cc5bd64490\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 5757, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:5757 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225757 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5757, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 5757, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:5757 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00225757 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225757\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":213},{"id":12549556,"ip":"89.248.172.10","ts":"2026-07-16 19:18:00.000000","proto":"tcp","src_port":60000,"dst_port":5757,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 13, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 5757, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022699989861f82805685abfc52f624a36c68988793\u0022, \u0022event_fingerprint\u0022: \u00223fd4c6aac6b29e92e0c8b62734aff077bca73b2b\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5757, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002232bdffe71a73c3d70ee22c820e86df5427d5a8e6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 5757, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5757 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225757 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 5757, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 5757, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5757 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00225757 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225757\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"18e9afaf91db6f8a2470e7435c2a1d6b","tls_ja3":"770,49162-49172-57-107-53-61-49159-49161-49187-49169-49171-49191-51-103-50-5-4-47-60-10,61184-65281-10-11-35-13172-30031-5,23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":372},{"id":12535024,"ip":"89.248.172.10","ts":"2026-07-16 16:44:29.000000","proto":"tcp","src_port":60000,"dst_port":1198,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002239b1f0ffae6bc4a4f6615bb6049d12fbf7523f23\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 1198, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b3f1154194470787c6247da59070d815d4b6df8e\u0022, \u0022event_fingerprint\u0022: \u002245fc3ae0a1e9e21894feb21d1db63129c1d26646\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022951aeae5c86a184c4c5e3c7911f59e84\u0022, \u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1198, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ee824f630440bf7b48c92c491176d1def156291\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 1198, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:1198 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221198 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1198, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 1198, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:1198 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00221198 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221198\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":213},{"id":12460711,"ip":"89.248.172.10","ts":"2026-07-16 10:10:19.000000","proto":"tcp","src_port":60000,"dst_port":5000,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c\u0022, \u0022emulator_response_len\u0022: 158, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002239b1f0ffae6bc4a4f6615bb6049d12fbf7523f23\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 5000, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227facca5d8d1bbc094e42b6eb9c9326b6d7f59473\u0022, \u0022event_fingerprint\u0022: \u002241a5264783b364b03eb66ec4f3aee7e46d71e898\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022951aeae5c86a184c4c5e3c7911f59e84\u0022, \u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b7e431b3ff108747663f1b6366a572135e499a23\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 5000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 5000, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:5000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00225000 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":213},{"id":12448225,"ip":"89.248.172.10","ts":"2026-07-16 08:38:28.000000","proto":"tcp","src_port":60000,"dst_port":3128,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002239b1f0ffae6bc4a4f6615bb6049d12fbf7523f23\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3128, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fd26819072250dcb8b4055072de225d2cf030e2f\u0022, \u0022event_fingerprint\u0022: \u0022b44d6a5705c872a60d428b36f768df94eca10fde\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022951aeae5c86a184c4c5e3c7911f59e84\u0022, \u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3128, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dfba20030cf5b07bc1d1fd2b72a3d917b1961bf3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 3128, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:3128 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223128 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3128, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 3128, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:3128 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00223128 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223128\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":8,"bytes_in":213},{"id":12303009,"ip":"89.248.172.10","ts":"2026-07-15 23:58:24.000000","proto":"tcp","src_port":60000,"dst_port":6501,"service":"http","classification":"exploit_attempt","waf_score":16,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002239b1f0ffae6bc4a4f6615bb6049d12fbf7523f23\u0022, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 213, \u0022payload_entropy\u0022: 5.305116943429694, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 6501, \u0022risk_waf\u0022: 72.0, \u0022risk_classification\u0022: 72.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221ceb75d35aa1372ff35fe20354c2c7e24b969762\u0022, \u0022event_fingerprint\u0022: \u00229de72bbdaef4075a7bb07692ced8eea19ce64805\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022confidence\u0022: 0.62, \u0022classification_confidence\u0022: 0.62, \u0022precision_score\u0022: 73, \u0022precision_signals\u0022: [\u0022MITRE-T1190\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1190\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 62.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022951aeae5c86a184c4c5e3c7911f59e84\u0022, \u0022payload_hash\u0022: \u0022ad7b4a0a30ea0eda4010b09302bff5f3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6501, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true\\r\\nAccept: *\/*\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220c093bf440f69db310766325cb104dca917c78c9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 6501, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:6501 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226501 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tentative d\u0027exploit (tag rce-0) \u00b7 confiance 62%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 62, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 72.0, \u0022classification\u0022: 72.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6501, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022MITRE-T1190\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022MITRE-T1190\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko\u2026\u0022, \u0022port\u0022: 6501, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022exploit attempt \u00b7 via HTTP:6501 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16\u0022, \u0022target_port_label\u0022: \u00226501 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 62 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226501\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us; Silk\/1.0.13.81_10003810) AppleWebKit\/533.16 (KHTML, like Gecko) Version\/5.0 Safari\/533.16 Silk-Accelerated=true","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":8,"bytes_in":213},{"id":12294512,"ip":"89.248.172.10","ts":"2026-07-15 22:42:21.000000","proto":"tcp","src_port":60000,"dst_port":5060,"service":"sip","classification":"sip_voip_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227ede27279abdf995b4c23aeb42aaef771106fc4d\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002212e58fcb9ae07c2755694e8888ea070c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d84b353c2e3026305f118e4eda26f551d550f6a6\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab sip_voip_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022sip voip probe \u00b7 via SIP:5060 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022]","anomalies":"[]","severity":5,"bytes_in":0},{"id":12183181,"ip":"89.248.172.10","ts":"2026-07-15 10:22:10.000000","proto":"tcp","src_port":60000,"dst_port":14567,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 13, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 14567, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002266b2a259067f6e151be34e74d38df27a2079f9e1\u0022, \u0022event_fingerprint\u0022: \u002212b19453dbb3b54e4c7c5d8bfb8cc21217e0a5f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 14567, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228e05dd28b157a3d87c284c4f8ebf862cf72c3d47\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 14567, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:14567 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002214567 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 14567, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 14567, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:14567 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u002214567 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002214567\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"18e9afaf91db6f8a2470e7435c2a1d6b","tls_ja3":"770,49162-49172-57-107-53-61-49159-49161-49187-49169-49171-49191-51-103-50-5-4-47-60-10,61184-65281-10-11-35-13172-30031-5,23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":372},{"id":12075491,"ip":"89.248.172.10","ts":"2026-07-15 04:15:26.000000","proto":"tcp","src_port":60000,"dst_port":53,"service":"dns","classification":"dns_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022160380036f0100006b03025248c51a23f73a4edfe2b4822fff09549fa7c479b068c6138ca41c3d22e11a982084b42c85af6ee359bb62686cff283d273aa982d96fc8a2d79398b4ef80e5b9900028c00ac0140039006b0035003dc007c009c023c011c013c02700330067003200050004002f003c000a010000faef00001a0018\u0022, \u0022emulator_response_len\u0022: 372, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022dns\u0022, \u0022app_proto\u0022: \u0022dns\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 53, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002299ca9d090780dd2d2524bc6eeb1fe5cba81a3a64\u0022, \u0022event_fingerprint\u0022: \u0022a8ecfe27665a94483df3963a81bc8aaa2d3740ad\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44}, \u0022service_name\u0022: \u0022dns\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00221ff272bdca0ffa92c866625cbd3295f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 53, \u0022service\u0022: \u0022dns\u0022, \u0022service_name\u0022: \u0022dns\u0022, \u0022risk_score\u0022: 44}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002208be9a2e6883c96905d6a6620b739d7ff035dd8e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 53, \u0022service\u0022: \u0022dns\u0022, \u0022service_label_fr\u0022: \u0022DNS\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002253 \u00b7 DNS\u0022, \u0022emulator_service\u0022: \u0022dns\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022dns\u0022, \u0022service_label_fr\u0022: \u0022DNS\u0022, \u0022dst_port\u0022: 53, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-dns\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 53, \u0022service\u0022: \u0022dns\u0022, \u0022service_label_fr\u0022: \u0022DNS\u0022}, \u0022attack_vector\u0022: \u0022dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u002253 \u00b7 DNS\u0022, \u0022emulator_service\u0022: \u0022dns\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022dns\u0022, \u0022service_banner\u0022: \u0022honeypot-dns\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002253\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022dns_emulated\u0022, \u0022dns_payload\u0022, \u0022net_dns_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022dns_emulated\u0022, \u0022dns_payload\u0022, \u0022net_dns_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":372},{"id":11948030,"ip":"89.248.172.10","ts":"2026-07-14 16:52:59.000000","proto":"tcp","src_port":60000,"dst_port":3128,"service":"squid","classification":"squid_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e31203430372050726f78792041757468656e7469636174696f6e2052657175697265640d0a50726f78792d41757468656e7469636174653a204261736963207265616c6d3d227371756964220d0a436f6e74656e742d4c656e6774683a2034360d0a0d0a3c68746d6c3e3c626f64793e53717569642070726f\u0022, \u0022emulator_response_len\u0022: 153, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022squid\u0022, \u0022app_proto\u0022: \u0022squid\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 3128, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002260480c2a9faab1a5aedf50852373db562bbab5b8\u0022, \u0022event_fingerprint\u0022: \u002281586bffa6e86d9c12ce9b39f0f0b836967cb06f\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab squid_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022squid\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00229e572cafeeabbd95104cd808285e515e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3128, \u0022service\u0022: \u0022squid\u0022, \u0022service_name\u0022: \u0022squid\u0022, \u0022risk_score\u0022: 45}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab squid_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022262bdcfd9fbb42f9a2803dc590e9455df8c84179\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 3128, \u0022service\u0022: \u0022squid\u0022, \u0022service_label_fr\u0022: \u0022SQUID\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022squid probe \u00b7 via SQUID:3128 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223128 \u00b7 SQUID\u0022, \u0022emulator_service\u0022: \u0022squid\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab squid_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab squid_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022squid\u0022, \u0022service_label_fr\u0022: \u0022SQUID\u0022, \u0022dst_port\u0022: 3128, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-squid\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 3128, \u0022service\u0022: \u0022squid\u0022, \u0022service_label_fr\u0022: \u0022SQUID\u0022}, \u0022attack_vector\u0022: \u0022squid probe \u00b7 via SQUID:3128 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00223128 \u00b7 SQUID\u0022, \u0022emulator_service\u0022: \u0022squid\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022squid\u0022, \u0022service_banner\u0022: \u0022honeypot-squid\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223128\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_squid_probe\u0022, \u0022squid_emulated\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_squid_probe\u0022, \u0022squid_emulated\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":372},{"id":11946280,"ip":"89.248.172.10","ts":"2026-07-14 16:24:59.000000","proto":"tcp","src_port":60000,"dst_port":1701,"service":"l2tp","classification":"l2tp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022c802007500080000000000000000\u0022, \u0022emulator_response_len\u0022: 14, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022l2tp\u0022, \u0022app_proto\u0022: \u0022l2tp\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 1701, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002276ed07829af5a4eb80f535bc465262ecc78bc4b7\u0022, \u0022event_fingerprint\u0022: \u00220f250c2c21cdddb93e518a807fadce942f8b008f\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab l2tp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022l2tp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u0022e0cbaa420d1e263af517ba2fd511b7ae\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1701, \u0022service\u0022: \u0022l2tp\u0022, \u0022service_name\u0022: \u0022l2tp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab l2tp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022674ede62553577ede6043dddaf8d1cd9854e047e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 1701, \u0022service\u0022: \u0022l2tp\u0022, \u0022service_label_fr\u0022: \u0022L2TP\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022l2tp probe \u00b7 via L2TP:1701 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221701 \u00b7 L2TP\u0022, \u0022emulator_service\u0022: \u0022l2tp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab l2tp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab l2tp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022l2tp\u0022, \u0022service_label_fr\u0022: \u0022L2TP\u0022, \u0022dst_port\u0022: 1701, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-l2tp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 1701, \u0022service\u0022: \u0022l2tp\u0022, \u0022service_label_fr\u0022: \u0022L2TP\u0022}, \u0022attack_vector\u0022: \u0022l2tp probe \u00b7 via L2TP:1701 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00221701 \u00b7 L2TP\u0022, \u0022emulator_service\u0022: \u0022l2tp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022l2tp\u0022, \u0022service_banner\u0022: \u0022honeypot-l2tp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221701\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022l2tp_emulated\u0022, \u0022l2tp_payload\u0022, \u0022net_l2tp_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022l2tp_emulated\u0022, \u0022l2tp_payload\u0022, \u0022net_l2tp_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":372},{"id":11909453,"ip":"89.248.172.10","ts":"2026-07-14 12:35:27.000000","proto":"tcp","src_port":60000,"dst_port":500,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 13, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 500, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a948bc67a04ecc965763b4f2cf717408285dbe98\u0022, \u0022event_fingerprint\u0022: \u0022d3e13a36bd14a1bd90bef384b72434444968d7d0\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 500, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228f0224cc96653dd444679561b03c016c232c5acc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 500, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:500 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022500 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 500, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022tls_ja3\u0022: \u002218e9afaf91db6f8a2470e7435c2a1d6b\u0022, \u0022port\u0022: 500, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:500 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u0022500 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022500\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"18e9afaf91db6f8a2470e7435c2a1d6b","tls_ja3":"770,49162-49172-57-107-53-61-49159-49161-49187-49169-49171-49191-51-103-50-5-4-47-60-10,61184-65281-10-11-35-13172-30031-5,23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":372},{"id":11861011,"ip":"89.248.172.10","ts":"2026-07-14 08:28:53.000000","proto":"tcp","src_port":60000,"dst_port":1723,"service":"pptp","classification":"pptp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022009a000100000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 152, \u0022bytes_in\u0022: 372, \u0022payload_entropy\u0022: 6.827478645460878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022service\u0022: \u0022pptp\u0022, \u0022app_proto\u0022: \u0022pptp\u0022, \u0022asn\u0022: 202425, \u0022country\u0022: \u0022NL\u0022, \u0022dst_port\u0022: 1723, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022649f5bc17e8f924044d127d497957e9af62e3e9e\u0022, \u0022event_fingerprint\u0022: \u002271584713bb04b570046daaa2c28d60858e61192a\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022NL\u0022, \u0022asn\u0022: 202425, \u0022org\u0022: \u0022IP Volume inc\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b81809bfd53087ba03b6f3907cd619b\u0022, \u0022path_pattern_hash\u0022: \u002223335ae831d64e1fb258930612ed9faf\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\\u0000\\u0000\\u0015syndication.twimg.com\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000#\\u0000\ufffd\ufffd\\u0001\\u0019g`\\u001e\\u0004B\ufffd\ufffd\ufffd\u003C\ufffdXO\ufffdiD\ufffd\\u001d\ufffd\\u0001\ufffd\ufffd\ufffd=]\ufffd\\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\\n\\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\\u0016`~G\\u0007\\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\\u0003\ufffd(\u0649\/\\u000f\\u0007\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223976604de19e4caae21931a7aeaf3255d1d9550c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab pptp_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022, \u0022dst_port\u0022: 1723, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0002\\u0001o\\u0001\\u0000\\u0001k\\u0003\\u0002RH\ufffd\\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\\u0013\ufffd\ufffd\\u001c=\\\u0022\ufffd\\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\\u0000(\ufffd\\n\ufffd\\u0014\\u00009\\u0000k\\u00005\\u0000=\ufffd\\u0007\ufffd\\t\ufffd#\ufffd\\u0011\ufffd\\u0013\ufffd\u0027\\u00003\\u0000g\\u00002\\u0000\\u0005\\u0000\\u0004\\u0000\/\\u0000\u003C\\u0000\\n\\u0001\\u0000\\u0000\ufffd\ufffd\\u0000\\u0000\\u001a\\u0000\\u0018\u0022, \u0022port\u0022: 1723, \u0022service\u0022: \u0022pptp\u0022, \u0022service_label_fr\u0022: \u0022PPTP\u0022}, \u0022attack_vector\u0022: \u0022pptp probe \u00b7 via PPTP:1723 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\\\u0022\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=\u0027:\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\\n\ufffd9k5=\ufffd\ufffd\\t\ufffd#\ufffd\ufffd\ufffd\u00273g2\/\u003C\\n\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00221723 \u00b7 PPTP\u0022, \u0022emulator_service\u0022: \u0022pptp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pptp\u0022, \u0022service_banner\u0022: \u0022honeypot-pptp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221723\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pptp_probe\u0022, \u0022pptp_emulated\u0022, \u0022pptp_payload\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":372}],"total_events":31}