{ "node": "triton", "role": "main", "generated_at": "2026-06-19T13:00:04.676204Z", "unique_ips": 25, "threats": [ { "ip": "96.41.38.202", "first_seen": "2026-06-19T08:59:07-04:00", "last_seen": "2026-06-19T08:59:07-04:00", "scenarios": [ { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T08:59:07-04:00" }, { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T08:59:07-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "45.88.138.45", "first_seen": "2026-06-16T12:56:45-04:00", "last_seen": "2026-06-19T08:56:00-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T08:56:00-04:00" }, { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T08:55:55-04:00" }, { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-19T08:55:55-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-19T08:55:47-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-06-16T12:56:45-04:00" } ], "source": [ "Hermes", "Zephyrus" ], "confidence": { "score": 0.78, "label": "medium" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Initial Access", "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1190", "T1595" ] }, "scope": "fleet" }, { "ip": "205.169.39.233", "first_seen": "2026-06-19T08:55:38-04:00", "last_seen": "2026-06-19T08:55:38-04:00", "scenarios": [ { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T08:55:38-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "34.122.147.229", "first_seen": "2026-06-19T08:55:24-04:00", "last_seen": "2026-06-19T08:55:24-04:00", "scenarios": [ { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T08:55:24-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "205.169.39.12", "first_seen": "2026-06-19T08:55:22-04:00", "last_seen": "2026-06-19T08:55:22-04:00", "scenarios": [ { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T08:55:22-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "164.92.244.132", "first_seen": "2026-06-19T08:54:41-04:00", "last_seen": "2026-06-19T08:54:48-04:00", "scenarios": [ { "name": "crowdsecurity/jira_cve-2021-26086", "category": "cve-exploit", "base_score": 0.9, "count": 1, "last_seen": "2026-06-19T08:54:48-04:00" }, { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T08:54:41-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.89, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Initial Access", "Reconnaissance" ], "mitre_techniques": [ "T1190", "T1595" ] }, "scope": "fleet" }, { "ip": "157.230.19.140", "first_seen": "2026-06-19T08:54:28-04:00", "last_seen": "2026-06-19T08:54:46-04:00", "scenarios": [ { "name": "crowdsecurity/jira_cve-2021-26086", "category": "cve-exploit", "base_score": 0.9, "count": 1, "last_seen": "2026-06-19T08:54:46-04:00" }, { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T08:54:37-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-19T08:54:28-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.78, "label": "medium" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Initial Access", "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1190", "T1595" ] }, "scope": "fleet" }, { "ip": "46.105.46.43", "first_seen": "2026-06-19T08:48:04-04:00", "last_seen": "2026-06-19T08:48:04-04:00", "scenarios": [ { "name": "crowdsecurity/http-bad-user-agent", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-19T08:48:04-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "51.68.111.205", "first_seen": "2026-06-19T08:41:31-04:00", "last_seen": "2026-06-19T08:41:31-04:00", "scenarios": [ { "name": "crowdsecurity/http-bad-user-agent", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-19T08:41:31-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "46.105.40.140", "first_seen": "2026-06-19T06:59:05-04:00", "last_seen": "2026-06-19T06:59:05-04:00", "scenarios": [ { "name": "crowdsecurity/http-bad-user-agent", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-19T06:59:05-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "34.145.152.155", "first_seen": "2026-06-19T05:55:13-04:00", "last_seen": "2026-06-19T05:55:15-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-06-19T05:55:15-04:00" }, { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-06-19T05:55:14-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-19T05:55:13-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.78, "label": "medium" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access", "Unknown" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "167.71.178.54", "first_seen": "2026-06-19T05:27:57-04:00", "last_seen": "2026-06-19T05:27:57-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-06-19T05:27:57-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.88, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "208.84.100.113", "first_seen": "2026-06-19T03:18:08-04:00", "last_seen": "2026-06-19T03:18:20-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T03:18:20-04:00" }, { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T03:18:13-04:00" }, { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-19T03:18:10-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-19T03:18:10-04:00" }, { "name": "crowdsecurity/http-crawl-non_statics", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-19T03:18:08-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.52, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "141.11.62.23", "first_seen": "2026-06-19T02:42:22-04:00", "last_seen": "2026-06-19T02:42:22-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T02:42:22-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "64.89.163.214", "first_seen": "2026-06-19T02:05:22-04:00", "last_seen": "2026-06-19T02:05:22-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-19T02:05:22-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "4.201.96.144", "first_seen": "2026-06-19T01:58:44-04:00", "last_seen": "2026-06-19T01:58:55-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-06-19T01:58:55-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-06-19T01:58:44-04:00" } ], "source": [ "Vault" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "51.68.107.137", "first_seen": "2026-06-19T01:24:33-04:00", "last_seen": "2026-06-19T01:24:33-04:00", "scenarios": [ { "name": "crowdsecurity/http-bad-user-agent", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-19T01:24:33-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "85.204.70.88", "first_seen": "2026-06-19T00:47:34-04:00", "last_seen": "2026-06-19T00:47:34-04:00", "scenarios": [ { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-06-19T00:47:34-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-06-19T00:47:34-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.9, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "62.60.130.231", "first_seen": "2026-06-19T00:38:16-04:00", "last_seen": "2026-06-19T00:38:16-04:00", "scenarios": [ { "name": "crowdsecurity/http-bad-user-agent", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-19T00:38:16-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "45.148.10.120", "first_seen": "2026-06-18T23:45:48-04:00", "last_seen": "2026-06-18T23:45:48-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-18T23:45:48-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "185.93.89.167", "first_seen": "2026-06-18T23:29:45-04:00", "last_seen": "2026-06-18T23:29:48-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-18T23:29:48-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-06-18T23:29:45-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.52, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "20.9.25.20", "first_seen": "2026-06-18T23:08:22-04:00", "last_seen": "2026-06-18T23:08:27-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-06-18T23:08:27-04:00" }, { "name": "php-known-backdoor", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-06-18T23:08:26-04:00" }, { "name": "webshell-probe", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-06-18T23:08:25-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-06-18T23:08:22-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "165.245.254.88", "first_seen": "2026-06-18T23:00:12-04:00", "last_seen": "2026-06-18T23:00:12-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-06-18T23:00:12-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.88, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "138.68.188.32", "first_seen": "2026-06-18T22:33:02-04:00", "last_seen": "2026-06-18T22:33:02-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-06-18T22:33:02-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.88, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "195.178.110.159", "first_seen": "2026-06-18T22:04:25-04:00", "last_seen": "2026-06-18T22:04:25-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-06-18T22:04:25-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" } ] }