{ "node": "triton", "role": "main", "generated_at": "2026-04-14T05:50:04.419803Z", "unique_ips": 25, "threats": [ { "ip": "103.39.109.165", "first_seen": "2026-04-14T01:32:40-04:00", "last_seen": "2026-04-14T01:32:40-04:00", "scenarios": [ { "name": "crowdsecurity/http-cve-2021-41773", "category": "cve-exploit", "base_score": 0.9, "count": 1, "last_seen": "2026-04-14T01:32:40-04:00" } ], "source": [ "Ares" ], "confidence": { "score": 0.93, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "52.53.216.111", "first_seen": "2026-04-14T01:22:14-04:00", "last_seen": "2026-04-14T01:22:23-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-14T01:22:23-04:00" }, { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-14T01:22:23-04:00" }, { "name": "crowdsecurity/http-admin-interface-probing", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-14T01:22:16-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-14T01:22:14-04:00" }, { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-14T01:22:14-04:00" } ], "source": [ "Argus" ], "confidence": { "score": 0.82, "label": "medium" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1059", "T1105", "T1595" ] }, "scope": "fleet" }, { "ip": "3.98.122.56", "first_seen": "2026-04-14T01:15:54-04:00", "last_seen": "2026-04-14T01:16:00-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-14T01:16:00-04:00" }, { "name": "php-known-backdoor", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-14T01:15:59-04:00" }, { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-14T01:15:59-04:00" }, { "name": "crowdsecurity/http-admin-interface-probing", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-14T01:15:55-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-14T01:15:54-04:00" }, { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-14T01:15:54-04:00" } ], "source": [ "Argus" ], "confidence": { "score": 0.87, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access", "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1059", "T1105", "T1190", "T1595" ] }, "scope": "fleet" }, { "ip": "54.153.85.199", "first_seen": "2026-04-14T00:59:10-04:00", "last_seen": "2026-04-14T00:59:20-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-14T00:59:20-04:00" }, { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-14T00:59:10-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.52, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "2602:80d:1008::96", "first_seen": "2026-04-14T00:55:44-04:00", "last_seen": "2026-04-14T00:55:44-04:00", "scenarios": [ { "name": "protocol-mismatch", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-14T00:55:44-04:00" } ], "source": [ "Ares" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "88.151.32.89", "first_seen": "2026-04-14T00:45:40-04:00", "last_seen": "2026-04-14T00:45:40-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-14T00:45:40-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "54.232.196.99", "first_seen": "2026-04-14T00:32:01-04:00", "last_seen": "2026-04-14T00:32:09-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-14T00:32:09-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-14T00:32:01-04:00" }, { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-14T00:32:01-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.49, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "45.88.138.44", "first_seen": "2026-04-13T23:36:12-04:00", "last_seen": "2026-04-13T23:36:48-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-13T23:36:48-04:00" }, { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-13T23:36:44-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-13T23:36:12-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.49, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "138.68.86.32", "first_seen": "2026-04-13T23:35:49-04:00", "last_seen": "2026-04-13T23:35:56-04:00", "scenarios": [ { "name": "crowdsecurity/jira_cve-2021-26086", "category": "cve-exploit", "base_score": 0.9, "count": 1, "last_seen": "2026-04-13T23:35:56-04:00" }, { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-13T23:35:53-04:00" }, { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-13T23:35:49-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.89, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Initial Access", "Reconnaissance" ], "mitre_techniques": [ "T1190", "T1595" ] }, "scope": "fleet" }, { "ip": "157.245.113.227", "first_seen": "2026-04-13T23:35:36-04:00", "last_seen": "2026-04-13T23:35:50-04:00", "scenarios": [ { "name": "crowdsecurity/jira_cve-2021-26086", "category": "cve-exploit", "base_score": 0.9, "count": 1, "last_seen": "2026-04-13T23:35:50-04:00" }, { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-13T23:35:43-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-13T23:35:36-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.78, "label": "medium" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Initial Access", "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1190", "T1595" ] }, "scope": "fleet" }, { "ip": "209.38.82.120", "first_seen": "2026-04-13T23:28:01-04:00", "last_seen": "2026-04-13T23:28:01-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T23:28:01-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.88, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "172.185.40.47", "first_seen": "2026-04-13T23:17:22-04:00", "last_seen": "2026-04-13T23:17:24-04:00", "scenarios": [ { "name": "crowdsecurity/http-cve-2021-42013", "category": "cve-exploit", "base_score": 0.9, "count": 1, "last_seen": "2026-04-13T23:17:24-04:00" }, { "name": "crowdsecurity/http-cve-2021-41773", "category": "cve-exploit", "base_score": 0.9, "count": 1, "last_seen": "2026-04-13T23:17:22-04:00" } ], "source": [ "Ares" ], "confidence": { "score": 0.95, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "147.182.154.144", "first_seen": "2026-04-13T23:15:24-04:00", "last_seen": "2026-04-13T23:15:24-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T23:15:24-04:00" } ], "source": [ "Argus" ], "confidence": { "score": 0.88, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "3.101.12.43", "first_seen": "2026-04-13T23:10:18-04:00", "last_seen": "2026-04-13T23:10:22-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-13T23:10:22-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-13T23:10:18-04:00" }, { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-13T23:10:18-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.49, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "4.196.165.107", "first_seen": "2026-04-13T23:04:17-04:00", "last_seen": "2026-04-13T23:04:17-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-13T23:04:17-04:00" }, { "name": "webshell-probe", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-13T23:04:17-04:00" }, { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T23:04:17-04:00" }, { "name": "wp-obscure-nested-php", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T23:04:17-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T23:04:17-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "172.232.209.215", "first_seen": "2026-04-13T22:53:59-04:00", "last_seen": "2026-04-13T22:53:59-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-13T22:53:59-04:00" } ], "source": [ "Ares" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "15.188.65.240", "first_seen": "2026-04-13T22:31:35-04:00", "last_seen": "2026-04-13T22:31:35-04:00", "scenarios": [ { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-13T22:31:35-04:00" }, { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-13T22:31:35-04:00" } ], "source": [ "Argus" ], "confidence": { "score": 0.52, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "82.24.64.32", "first_seen": "2026-04-13T22:21:04-04:00", "last_seen": "2026-04-13T22:21:04-04:00", "scenarios": [ { "name": "crowdsecurity/http-cve-2021-41773", "category": "cve-exploit", "base_score": 0.9, "count": 1, "last_seen": "2026-04-13T22:21:04-04:00" } ], "source": [ "Ares" ], "confidence": { "score": 0.93, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "71.6.237.28", "first_seen": "2026-04-13T21:18:57-04:00", "last_seen": "2026-04-13T21:18:57-04:00", "scenarios": [ { "name": "protocol-mismatch", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-13T21:18:57-04:00" } ], "source": [ "Ares" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "2.26.61.107", "first_seen": "2026-04-13T20:58:55-04:00", "last_seen": "2026-04-13T20:58:55-04:00", "scenarios": [ { "name": "crowdsecurity/http-cve-2021-41773", "category": "cve-exploit", "base_score": 0.9, "count": 1, "last_seen": "2026-04-13T20:58:55-04:00" } ], "source": [ "Ares" ], "confidence": { "score": 0.93, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "20.215.241.46", "first_seen": "2026-04-13T20:54:39-04:00", "last_seen": "2026-04-13T20:54:41-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-13T20:54:41-04:00" }, { "name": "webshell-probe", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-13T20:54:41-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T20:54:41-04:00" }, { "name": "php-obscure-path-backdoor", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T20:54:41-04:00" }, { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T20:54:39-04:00" }, { "name": "wp-obscure-nested-php", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T20:54:39-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "158.158.43.6", "first_seen": "2026-04-13T20:53:48-04:00", "last_seen": "2026-04-13T20:53:50-04:00", "scenarios": [ { "name": "webshell-probe", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-13T20:53:50-04:00" }, { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-13T20:53:50-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-13T20:53:48-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T20:53:48-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.93, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access", "Unknown" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "198.235.24.111", "first_seen": "2026-04-13T20:50:45-04:00", "last_seen": "2026-04-13T20:50:45-04:00", "scenarios": [ { "name": "protocol-mismatch", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-13T20:50:45-04:00" } ], "source": [ "Ares" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "66.132.186.181", "first_seen": "2026-04-13T19:43:51-04:00", "last_seen": "2026-04-13T19:43:51-04:00", "scenarios": [ { "name": "crowdsecurity/http-bad-user-agent", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-13T19:43:51-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "52.139.47.45", "first_seen": "2026-04-13T18:58:59-04:00", "last_seen": "2026-04-13T18:59:02-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-13T18:59:02-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T18:59:02-04:00" }, { "name": "php-known-backdoor", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T18:59:02-04:00" }, { "name": "webshell-probe", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-13T18:59:01-04:00" }, { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T18:59:01-04:00" }, { "name": "wp-obscure-nested-php", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T18:59:01-04:00" }, { "name": "php-any-suspicious", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T18:59:00-04:00" }, { "name": "php-suspicious-name", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T18:59:00-04:00" }, { "name": "php-backdoor-generic", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T18:58:59-04:00" }, { "name": "crowdsecurity/http-wordpress-scan", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-13T18:58:59-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-13T18:58:59-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access", "Unknown" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" } ] }