{ "node": "triton", "role": "main", "generated_at": "2026-04-16T11:00:04.545757Z", "unique_ips": 25, "threats": [ { "ip": "141.98.11.181", "first_seen": "2026-04-16T01:51:26-04:00", "last_seen": "2026-04-16T06:37:37-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T06:37:37-04:00" }, { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T06:37:36-04:00" }, { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-16T06:37:34-04:00" }, { "name": "wp-nested-backdoor", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T01:51:26-04:00" }, { "name": "wp-obscure-nested-php", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T01:51:26-04:00" }, { "name": "php-backdoor-generic", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T01:51:26-04:00" } ], "source": [ "Argus", "Triton" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "45.148.10.243", "first_seen": "2026-04-16T05:58:44-04:00", "last_seen": "2026-04-16T05:58:44-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-16T05:58:44-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "46.105.40.140", "first_seen": "2026-04-16T05:45:45-04:00", "last_seen": "2026-04-16T05:45:45-04:00", "scenarios": [ { "name": "crowdsecurity/http-bad-user-agent", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-16T05:45:45-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "172.213.241.216", "first_seen": "2026-04-16T05:04:03-04:00", "last_seen": "2026-04-16T05:04:03-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-16T05:04:03-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T05:04:03-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "20.199.125.41", "first_seen": "2026-04-16T04:42:02-04:00", "last_seen": "2026-04-16T04:42:12-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-16T04:42:12-04:00" }, { "name": "webshell-probe", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-16T04:42:11-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T04:42:02-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "51.68.236.70", "first_seen": "2026-04-16T03:18:42-04:00", "last_seen": "2026-04-16T03:18:42-04:00", "scenarios": [ { "name": "crowdsecurity/http-bad-user-agent", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-16T03:18:42-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "2602:80d:1007::32", "first_seen": "2026-04-16T03:02:12-04:00", "last_seen": "2026-04-16T03:02:12-04:00", "scenarios": [ { "name": "protocol-mismatch", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-16T03:02:12-04:00" } ], "source": [ "Ares" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "20.92.87.114", "first_seen": "2026-04-16T02:46:04-04:00", "last_seen": "2026-04-16T02:46:05-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-16T02:46:05-04:00" }, { "name": "crowdsecurity/http-backdoors-attempts", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-16T02:46:05-04:00" }, { "name": "webshell-probe", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-16T02:46:04-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.89, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Unknown" ], "mitre_techniques": [ "T1059", "T1105" ] }, "scope": "fleet" }, { "ip": "136.118.0.150", "first_seen": "2026-04-16T02:11:55-04:00", "last_seen": "2026-04-16T02:11:55-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T02:11:55-04:00" }, { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T02:11:55-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.9, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "136.109.80.43", "first_seen": "2026-04-16T02:09:49-04:00", "last_seen": "2026-04-16T02:09:49-04:00", "scenarios": [ { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T02:09:49-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T02:09:49-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.9, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "20.223.155.224", "first_seen": "2026-04-16T01:46:58-04:00", "last_seen": "2026-04-16T01:47:03-04:00", "scenarios": [ { "name": "webshell-probe", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-16T01:47:03-04:00" }, { "name": "crowdsecurity/http-backdoors-attempts", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-16T01:47:03-04:00" }, { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-16T01:47:01-04:00" }, { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T01:46:58-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-16T01:46:58-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T01:46:58-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.9, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access", "Unknown" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "103.168.66.237", "first_seen": "2026-04-16T01:10:40-04:00", "last_seen": "2026-04-16T01:10:41-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-16T01:10:41-04:00" }, { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-16T01:10:41-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T01:10:40-04:00" }, { "name": "crowdsecurity/http-crawl-non_statics", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-16T01:10:40-04:00" }, { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T01:10:40-04:00" }, { "name": "crowdsecurity/http-admin-interface-probing", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-16T01:10:40-04:00" }, { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-16T01:10:40-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-16T01:10:40-04:00" }, { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-16T01:10:40-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.88, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access", "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1059", "T1105", "T1190", "T1595" ] }, "scope": "fleet" }, { "ip": "136.107.173.174", "first_seen": "2026-04-16T01:08:41-04:00", "last_seen": "2026-04-16T01:08:41-04:00", "scenarios": [ { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T01:08:41-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T01:08:41-04:00" } ], "source": [ "Argus" ], "confidence": { "score": 0.9, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "34.48.160.178", "first_seen": "2026-04-16T00:29:55-04:00", "last_seen": "2026-04-16T00:29:55-04:00", "scenarios": [ { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T00:29:55-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-16T00:29:55-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.9, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "104.196.193.143", "first_seen": "2026-04-15T23:32:00-04:00", "last_seen": "2026-04-15T23:32:03-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-15T23:32:03-04:00" }, { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-15T23:32:03-04:00" }, { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-15T23:32:00-04:00" } ], "source": [ "Argus" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "45.148.10.120", "first_seen": "2026-04-15T23:26:54-04:00", "last_seen": "2026-04-15T23:26:54-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-15T23:26:54-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "20.89.234.204", "first_seen": "2026-04-15T23:23:13-04:00", "last_seen": "2026-04-15T23:23:19-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-15T23:23:19-04:00" }, { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-15T23:23:19-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-15T23:23:19-04:00" }, { "name": "wp-obscure-nested-php", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-15T23:23:17-04:00" }, { "name": "wp-nested-backdoor", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-15T23:23:17-04:00" }, { "name": "crowdsecurity/http-wordpress-scan", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-15T23:23:14-04:00" }, { "name": "crowdsecurity/http-admin-interface-probing", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-15T23:23:13-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-15T23:23:13-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.98, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access", "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1059", "T1105", "T1190", "T1595" ] }, "scope": "fleet" }, { "ip": "147.182.177.135", "first_seen": "2026-04-15T23:19:18-04:00", "last_seen": "2026-04-15T23:19:18-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-15T23:19:18-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "130.12.180.144", "first_seen": "2026-04-15T23:02:07-04:00", "last_seen": "2026-04-15T23:02:07-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-15T23:02:07-04:00" } ], "source": [ "Argus" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "16.58.56.214", "first_seen": "2026-04-15T22:27:58-04:00", "last_seen": "2026-04-15T22:27:58-04:00", "scenarios": [ { "name": "protocol-mismatch", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-15T22:27:58-04:00" } ], "source": [ "Ares" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "64.50.191.32", "first_seen": "2026-04-15T22:11:47-04:00", "last_seen": "2026-04-15T22:11:47-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-15T22:11:47-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "205.210.31.67", "first_seen": "2026-04-15T21:40:10-04:00", "last_seen": "2026-04-15T21:40:10-04:00", "scenarios": [ { "name": "protocol-mismatch", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-15T21:40:10-04:00" } ], "source": [ "Ares" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "98.93.160.221", "first_seen": "2026-04-15T21:37:32-04:00", "last_seen": "2026-04-15T21:37:32-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-04-15T21:37:32-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "20.223.204.92", "first_seen": "2026-04-15T20:30:33-04:00", "last_seen": "2026-04-15T20:30:38-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-15T20:30:38-04:00" }, { "name": "crowdsecurity/http-wordpress-scan", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-15T20:30:33-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-04-15T20:30:33-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.88, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access", "Unknown" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "20.203.241.30", "first_seen": "2026-04-15T20:11:08-04:00", "last_seen": "2026-04-15T20:11:15-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-15T20:11:15-04:00" }, { "name": "webshell-probe", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-04-15T20:11:15-04:00" }, { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-15T20:11:08-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-04-15T20:11:08-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" } ] }