{ "node": "triton", "role": "main", "generated_at": "2026-05-31T12:10:04.421546Z", "unique_ips": 25, "threats": [ { "ip": "20.63.37.90", "first_seen": "2026-05-31T07:42:29-04:00", "last_seen": "2026-05-31T07:42:29-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-05-31T07:42:29-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence" ], "mitre_techniques": [ "T1059", "T1105" ] }, "scope": "fleet" }, { "ip": "91.92.42.86", "first_seen": "2026-05-31T07:16:36-04:00", "last_seen": "2026-05-31T07:16:36-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T07:16:36-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T07:16:36-04:00" }, { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T07:16:36-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.85, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access", "Reconnaissance" ], "mitre_techniques": [ "T1190", "T1595" ] }, "scope": "fleet" }, { "ip": "45.94.31.32", "first_seen": "2026-05-31T07:11:31-04:00", "last_seen": "2026-05-31T07:11:31-04:00", "scenarios": [ { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T07:11:31-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T07:11:31-04:00" } ], "source": [ "Zephyrus" ], "confidence": { "score": 0.9, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "207.241.173.205", "first_seen": "2026-05-31T06:24:39-04:00", "last_seen": "2026-05-31T06:24:40-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T06:24:40-04:00" }, { "name": "crowdsecurity/http-crawl-non_statics", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-31T06:24:39-04:00" }, { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T06:24:39-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-31T06:24:39-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.54, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "140.245.98.34", "first_seen": "2026-05-31T05:55:00-04:00", "last_seen": "2026-05-31T05:55:00-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T05:55:00-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.88, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "136.113.175.140", "first_seen": "2026-05-31T05:54:24-04:00", "last_seen": "2026-05-31T05:54:25-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T05:54:25-04:00" }, { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T05:54:25-04:00" }, { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-05-31T05:54:24-04:00" } ], "source": [ "Argus" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "143.198.181.59", "first_seen": "2026-05-31T05:12:16-04:00", "last_seen": "2026-05-31T05:12:31-04:00", "scenarios": [ { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T05:12:31-04:00" }, { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T05:12:31-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-31T05:12:16-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.58, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "172.202.23.10", "first_seen": "2026-05-31T05:05:19-04:00", "last_seen": "2026-05-31T05:05:28-04:00", "scenarios": [ { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T05:05:28-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T05:05:28-04:00" }, { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-05-31T05:05:28-04:00" }, { "name": "wp-obscure-nested-php", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T05:05:27-04:00" }, { "name": "php-suspicious-enum", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T05:05:27-04:00" }, { "name": "wp-obscure-path-backdoor", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T05:05:27-04:00" }, { "name": "php-obscure-path-backdoor", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T05:05:26-04:00" }, { "name": "php-known-backdoor", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T05:05:24-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-31T05:05:19-04:00" } ], "source": [ "Vault" ], "confidence": { "score": 1.0, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access", "Unknown" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "4.228.96.127", "first_seen": "2026-05-31T04:48:54-04:00", "last_seen": "2026-05-31T04:49:00-04:00", "scenarios": [ { "name": "webshell-high-confidence", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-05-31T04:49:00-04:00" }, { "name": "webshell-probe", "category": "post-exploitation", "base_score": 0.95, "count": 1, "last_seen": "2026-05-31T04:48:55-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-31T04:48:55-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T04:48:54-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.93, "label": "high" }, "severity": { "level": "critical", "score": 9, "mitre_tactics": [ "Command and Control / Persistence", "Initial Access", "Unknown" ], "mitre_techniques": [ "T1059", "T1105", "T1190" ] }, "scope": "fleet" }, { "ip": "162.141.167.49", "first_seen": "2026-05-29T07:35:34-04:00", "last_seen": "2026-05-31T04:48:54-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T04:48:54-04:00" }, { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-29T07:35:42-04:00" }, { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-29T07:35:42-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-29T07:35:34-04:00" } ], "source": [ "Iris", "Zephyrus" ], "confidence": { "score": 0.59, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "208.84.100.207", "first_seen": "2026-05-30T20:51:59-04:00", "last_seen": "2026-05-31T04:27:14-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T04:27:14-04:00" }, { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-31T04:27:10-04:00" }, { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T04:27:09-04:00" }, { "name": "crowdsecurity/http-crawl-non_statics", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-30T20:51:59-04:00" } ], "source": [ "Argus", "Zephyrus" ], "confidence": { "score": 0.59, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "185.177.72.68", "first_seen": "2026-05-31T02:39:14-04:00", "last_seen": "2026-05-31T02:39:14-04:00", "scenarios": [ { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-31T02:39:14-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "172.233.190.104", "first_seen": "2026-05-31T02:19:39-04:00", "last_seen": "2026-05-31T02:19:44-04:00", "scenarios": [ { "name": "crowdsecurity/http-admin-interface-probing", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T02:19:44-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-31T02:19:39-04:00" }, { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T02:19:39-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.58, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "92.205.188.156", "first_seen": "2026-05-31T01:55:56-04:00", "last_seen": "2026-05-31T01:55:56-04:00", "scenarios": [ { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T01:55:56-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T01:55:56-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.9, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "51.68.111.241", "first_seen": "2026-05-31T01:50:50-04:00", "last_seen": "2026-05-31T01:50:50-04:00", "scenarios": [ { "name": "crowdsecurity/http-bad-user-agent", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-31T01:50:50-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "85.121.126.31", "first_seen": "2026-05-30T02:37:02-04:00", "last_seen": "2026-05-31T01:25:08-04:00", "scenarios": [ { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-31T01:25:08-04:00" }, { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T01:25:08-04:00" }, { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-30T02:37:02-04:00" } ], "source": [ "Argus", "Triton" ], "confidence": { "score": 0.63, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "142.248.80.245", "first_seen": "2026-05-30T17:01:29-04:00", "last_seen": "2026-05-31T01:13:38-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T01:13:38-04:00" }, { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T01:13:30-04:00" }, { "name": "crowdsecurity/http-sensitive-files", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-30T17:01:31-04:00" }, { "name": "crowdsecurity/http-probing", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-30T17:01:29-04:00" } ], "source": [ "Argus", "Triton" ], "confidence": { "score": 0.59, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance", "Unknown" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "176.61.149.56", "first_seen": "2026-05-31T00:21:25-04:00", "last_seen": "2026-05-31T00:21:25-04:00", "scenarios": [ { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T00:21:25-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T00:21:25-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.9, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "162.214.79.109", "first_seen": "2026-05-31T00:20:08-04:00", "last_seen": "2026-05-31T00:20:08-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-31T00:20:08-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.88, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "35.219.233.53", "first_seen": "2026-05-31T00:19:39-04:00", "last_seen": "2026-05-31T00:19:39-04:00", "scenarios": [ { "name": "crowdsecurity/http-bad-user-agent", "category": "other", "base_score": 0.4, "count": 1, "last_seen": "2026-05-31T00:19:39-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.3, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Unknown" ], "mitre_techniques": [] }, "scope": "fleet" }, { "ip": "45.3.48.33", "first_seen": "2026-05-31T00:00:55-04:00", "last_seen": "2026-05-31T00:00:55-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-31T00:00:55-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "104.155.29.73", "first_seen": "2026-05-30T23:59:15-04:00", "last_seen": "2026-05-30T23:59:15-04:00", "scenarios": [ { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-30T23:59:15-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.88, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" }, { "ip": "85.121.127.91", "first_seen": "2026-05-30T23:41:33-04:00", "last_seen": "2026-05-30T23:41:33-04:00", "scenarios": [ { "name": "mgmt-path-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-30T23:41:33-04:00" }, { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-30T23:41:33-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "209.50.166.167", "first_seen": "2026-05-30T23:24:41-04:00", "last_seen": "2026-05-30T23:24:41-04:00", "scenarios": [ { "name": "suspicious-probe", "category": "reconnaissance", "base_score": 0.6, "count": 1, "last_seen": "2026-05-30T23:24:41-04:00" } ], "source": [ "Triton" ], "confidence": { "score": 0.6, "label": "low" }, "severity": { "level": "low", "score": 1, "mitre_tactics": [ "Reconnaissance" ], "mitre_techniques": [ "T1595" ] }, "scope": "fleet" }, { "ip": "84.247.181.196", "first_seen": "2026-05-30T23:07:52-04:00", "last_seen": "2026-05-30T23:07:52-04:00", "scenarios": [ { "name": "wordpress-probe", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-30T23:07:52-04:00" }, { "name": "wp-sensitive-paths", "category": "web-exploitation", "base_score": 0.85, "count": 1, "last_seen": "2026-05-30T23:07:52-04:00" } ], "source": [ "Iris" ], "confidence": { "score": 0.9, "label": "high" }, "severity": { "level": "high", "score": 7, "mitre_tactics": [ "Initial Access" ], "mitre_techniques": [ "T1190" ] }, "scope": "fleet" } ] }