{"id":5893,"date":"2026-05-05T22:11:30","date_gmt":"2026-05-05T22:11:30","guid":{"rendered":"http:\/\/localhost:8080\/?page_id=5893"},"modified":"2026-05-06T00:12:24","modified_gmt":"2026-05-06T00:12:24","slug":"scythe-c87c626a","status":"publish","type":"page","link":"https:\/\/neurosphere-2.tail52f848.ts.net\/wordpress\/?page_id=5893","title":{"rendered":"scythe-c87c626a SESSION-98342a26"},"content":{"rendered":"\n
session-hypergraph-SESSION-98342a26<\/a>Download<\/a><\/div>\n\n\n\n
scythe-c87c626a | May 5, 2026 _ Texas City, TX\n\n7 PCAPs \u2022 81 sessions \u2022 52 hosts \u2022 52 \ud83c\udf0d geolocated\n\ncapture_20260505150001 - 20260505210001\n\nSCYTHE_HYPERGRAPH Bundle @ https:\/\/neurosphere-2.tail52f848.ts.net\/wordpress\/wp-content\/uploads\/2026\/05\/session-hypergraph-SESSION-98342a26.html\n\nDetails @ https:\/\/neurosphere-2.tail52f848.ts.net\/wordpress\/?page_id=5893<\/code><\/pre>\n\n\n\n
[19:06:49] \u26a0\ufe0f 2 proximity alerts active!\n[19:10:31] Traceroute \u2192 2.57.122.191\n[19:11:01] 13 hops\n[19:11:01] Hop 1: \ud83d\udce1XCI55AX.mynetworksettings.com \u2014 3.15ms [rf_link] \u2298dist\n[19:11:01] Hop 2: \ud83d\udd0410.184.141.2 \u2014 238.65ms [mimo_reassembly] \u26a1 MIMO \u2298dist\n[19:11:01] Hop 3: \u2699\ufe0f10.184.141.2 \u2014 38.4ms [packet_core] \u26a0 priv \u2298dist\n[19:11:01] Hop 4: \u2699\ufe0f10.184.141.9 \u2014 33.74ms [packet_core] \u26a0 priv \u2298dist\n[19:11:01] Hop 5: \u2699\ufe0f172.19.2.242 \u2014 33.74ms [packet_core] \u26a0 priv \u2298dist\n[19:11:01] Hop 7: \ud83d\udd00187.sub-69-83-101.myvzw.com \u2014 33.75ms [cgnat_cluster] \u26a0 spike \u2298dist\n[19:11:01] Hop 9: \ud83d\udd0c212.sub-69-83-96.myvzw.com \u2014 73.54ms +4596.2km [access_router] \u26a0 spike\n[19:11:01] Hop 10: \ud83d\udd0c75.sub-69-83-97.myvzw.com \u2014 28.77ms +1798.1km [access_router] \u26a0 spike\n[19:11:01] Hop 12: \ud83c\udf10customer.alter.net \u2014 28.06ms +1753.8km [peering_edge] \u26a0 spike\n[19:11:01] Hop 14: \u2708\ufe0fg0-1.gw2.bluedome.net \u2014 138.19ms +8636.9km [international_transit] \u26a0 spike\n[19:11:01] Hop 15: \ud83d\udd0cae4-7.rt.dpx.bud.hu.retn.net \u2014 157.94ms +9871.2km [access_router] \u26a0 spike\n[19:11:01] Hop 16: \ud83d\udd0cgw-as47890.retn.net \u2014 178.24ms +11140km [access_router] \u26a0 spike\n[19:11:01] Hop 17: \ud83c\udfaf2.57.122.191 \u2014 167.39ms +10461.9km [destination] \u26a0 spike\n[19:11:01] \ud83d\udd34 5G MIMO path detected \u2014 early hops excluded from distance\n[19:11:01] \u2708\ufe0f International transit detected\n[19:11:01] \ud83d\udccf Distance hops: 7 of 13 usable\n[19:11:01] Total: ~8369.5 km from server\n[19:11:01] \ud83c\udf10 4 trace entities on globe (8 logical segments)\n[19:11:28] Traceroute \u2192 185.207.251.124\n[19:11:33] 16 hops\n[19:11:33] Hop 1: \ud83d\udce1XCI55AX.mynetworksettings.com \u2014 3.17ms [rf_link] \u2298dist\n[19:11:33] Hop 2: \ud83d\udd0c10.184.141.2 \u2014 42.5ms +2656.2km [access_router] \u26a0 priv\n[19:11:33] Hop 3: \ud83d\udd0c10.184.141.2 \u2014 37.23ms +2326.9km [access_router] \u26a0 priv\n[19:11:33] Hop 5: \ud83d\udd00238.qarestr.sub-172-19-2.myvzw.com \u2014 32.65ms [cgnat_cluster] \u26a0 spike \u2298dist\n[19:11:33] Hop 6: \ud83c\udfd7\ufe0f185.sub-69-83-101.myvzw.com \u2014 32.81ms [mpls_private_backbone] \u26a0 spike \u2298dist\n[19:11:33] Hop 7: \ud83c\udfd7\ufe0f187.sub-69-83-101.myvzw.com \u2014 32.97ms [mpls_private_backbone] \u26a0 spike \u2298dist\n[19:11:33] Hop 9: \ud83c\udfd7\ufe0f212.sub-69-83-96.myvzw.com \u2014 33.15ms [mpls_private_backbone] \u26a0 spike \u2298dist\n[19:11:33] Hop 10: \ud83c\udfd7\ufe0f75.sub-69-83-97.myvzw.com \u2014 32.99ms [mpls_private_backbone] \u26a0 spike \u2298dist\n[19:11:33] Hop 13: \ud83d\udd0cdls-b23-link.ip.twelve99.net \u2014 42.17ms +2635.6km [access_router] \u26a0 spike\n[19:11:33] Hop 14: \ud83d\udd0catl-b24-link.ip.twelve99.net \u2014 51.89ms +3243.1km [access_router] \u26a0 spike\n[19:11:33] Hop 15: \ud83d\udd0catl-bb2-link.ip.twelve99.net \u2014 51.84ms +3240km [access_router] \u26a0 spike\n[19:11:33] Hop 16: \ud83d\udd0cash-bb2-link.ip.twelve99.net \u2014 67.19ms +4199.4km [access_router] \u26a0 spike\n[19:11:33] Hop 17: \ud83d\udd0cprs-bb2-link.ip.twelve99.net \u2014 152.09ms +9505.6km [access_router] \u26a0 spike\n[19:11:33] Hop 18: \ud83d\udd0claut-b2-link.ip.twelve99.net \u2014 151.72ms +9482.5km [access_router] \u26a0 spike\n[19:11:33] Hop 19: \ud83d\udd0c212.133.82.98 \u2014 146.07ms +9129.4km [access_router] \u26a0 spike\n[19:11:33] Hop 22: \ud83c\udfafvmi1401757.contaboserver.net \u2014 151.55ms +9471.9km [destination] \u26a0 spike\n[19:11:33] \ud83d\udd34 5G MIMO path detected \u2014 early hops excluded from distance\n[19:11:33] \ud83d\udccf Distance hops: 10 of 16 usable\n[19:11:33] Total: ~7577.5 km from server\n[19:11:33] \ud83c\udf10 3 trace entities on globe (6 logical segments)\n[19:11:42] Traceroute \u2192 77.247.182.248\n[19:11:47] 18 hops\n[19:11:47] Hop 1: \ud83d\udce1XCI55AX.mynetworksettings.com \u2014 1.63ms [rf_link] \u2298dist\n[19:11:47] Hop 2: \u2699\ufe0f10.184.141.2 \u2014 37.31ms [packet_core] \u26a0 priv \u2298dist\n[19:11:47] Hop 3: \u2699\ufe0f10.184.141.2 \u2014 37.29ms [packet_core] \u26a0 priv \u2298dist\n[19:11:47] Hop 4: \u2699\ufe0f10.184.141.9 \u2014 24.2ms [packet_core] \u26a0 priv \u2298dist\n[19:11:47] Hop 5: \ud83d\udd00248.qarestr.sub-172-19-2.myvzw.com \u2014 26.65ms [cgnat_cluster] \u26a0 spike \u2298dist\n[19:11:47] Hop 7: \ud83c\udfd7\ufe0f187.sub-69-83-101.myvzw.com \u2014 26.5ms [mpls_private_backbone] \u26a0 spike \u2298dist\n[19:11:47] Hop 9: \ud83c\udfd7\ufe0f212.sub-69-83-96.myvzw.com \u2014 21.31ms [mpls_private_backbone] \u26a0 spike \u2298dist\n[19:11:47] Hop 10: \ud83c\udfd7\ufe0f75.sub-69-83-97.myvzw.com \u2014 21.39ms [mpls_private_backbone] \u26a0 spike \u2298dist\n[19:11:47] Hop 13: \ud83d\udd0cdls-bb1-link.ip.twelve99.net \u2014 31ms +1937.5km [access_router] \u26a0 spike\n[19:11:47] Hop 14: \ud83d\udd0cnash-bb1-link.ip.twelve99.net \u2014 45.76ms +2860km [access_router] \u26a0 spike\n[19:11:47] Hop 15: \ud83d\udd0catl-bb1-link.ip.twelve99.net \u2014 46.66ms +2916.2km [access_router] \u26a0 spike\n[19:11:47] Hop 17: \ud83d\udd0catl-bb2-link.ip.twelve99.net \u2014 45.92ms +2870km [access_router] \u26a0 spike\n[19:11:47] Hop 18: \ud83d\udd0cash-bb2-link.ip.twelve99.net \u2014 55.65ms +3478.1km [access_router] \u26a0 spike\n[19:11:47] Hop 19: \ud83d\udd0cprs-bb2-link.ip.twelve99.net \u2014 140.38ms +8773.8km [access_router] \u26a0 spike\n[19:11:47] Hop 20: \ud83d\udd0cadm-bb2-link.ip.twelve99.net \u2014 150.9ms +9431.2km [access_router] \u26a0 spike\n[19:11:47] Hop 21: \ud83d\udd0cadm-b3-link.ip.twelve99.net \u2014 150.1ms +9381.2km [access_router] \u26a0 spike\n[19:11:47] Hop 22: \ud83d\udd0c80.239.221.135 \u2014 179.93ms +11245.6km [access_router] \u26a0 spike\n[19:11:47] Hop 24: \ud83c\udfaf77.247.182.248 \u2014 153.84ms +9615km [destination] \u26a0 spike\n[19:11:47] \ud83d\udd34 5G MIMO path detected \u2014 early hops excluded from distance\n[19:11:47] \ud83d\udccf Distance hops: 10 of 18 usable\n[19:11:47] Total: ~7692 km from server\n[19:11:47] \ud83c\udf10 3 trace entities on globe (6 logical segments)<\/code><\/pre>\n\n\n\n
\ud83e\udde0 CLUSTER INTEL\nClusters: 17\nThreats: 0\nRF emitters: 0\nUAVs: 0\nC2: 0\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-63d1d285\nNodes: 19\nBehavior: MIXED\nASN: AS6389 \u2014 Amazon.com, Inc.\nInfra: Hyperscaler (78% conf) \u00b7 2 ASNs\nCountry: ID\nMobility: Fixed infrastructure\nLocation: -6.211\u00b0, 106.845\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS6389 \u2014 Amazon.com, Inc. (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS6389 (Amazon.com, Inc.) [Hyperscaler] \u00b7 Jurisdiction: ID\n\u2192 [LOW] SCHEDULE_RESCAN: Large dormant cluster \u2014 may be staging infrastructure\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-eea8f7a5\nNodes: 7\nBehavior: MIXED\nASN: AS31377 \u2014 Akamai Connected Cloud\nInfra: Edge CDN (100% conf)\nCountry: US\nMobility: Fixed infrastructure\nLocation: 41.883\u00b0, -87.630\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS31377 \u2014 Akamai Connected Cloud (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS31377 (Akamai Connected Cloud) [Edge CDN] \u00b7 Jurisdiction: US\n\u2192 [LOW] SCHEDULE_RESCAN: Large dormant cluster \u2014 may be staging infrastructure\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-61e1337e\nNodes: 15\nBehavior: MIXED\nASN: AS14618 \u2014 Amazon.com, Inc.\nInfra: Hyperscaler (86% conf) \u00b7 2 ASNs\nCountry: US\nMobility: Fixed infrastructure\nLocation: 39.047\u00b0, -77.490\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS14618 \u2014 Amazon.com, Inc. (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS14618 (Amazon.com, Inc.) [Hyperscaler] \u00b7 Jurisdiction: US\n\u2192 [LOW] SCHEDULE_RESCAN: Large dormant cluster \u2014 may be staging infrastructure\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-756b0eb2\nNodes: 3\nBehavior: MIXED\nASN: AS328436 \u2014 Flashnet-Technologies-Limited\nCountry: TZ\nMobility: Fixed infrastructure\nLocation: -6.823\u00b0, 39.291\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS328436 \u2014 Flashnet-Technologies-Limited (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS328436 (Flashnet-Technologies-Limited) \u00b7 Jurisdiction: TZ\n\u2192 Awaiting sufficient data\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-390f6cef\nNodes: 13\nBehavior: MIXED\nASN: AS16509 \u2014 Amazon.com, Inc.\nInfra: Hyperscaler (100% conf)\nCountry: DE\nMobility: Fixed infrastructure\nLocation: 52.520\u00b0, 13.407\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS16509 \u2014 Amazon.com, Inc. (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS16509 (Amazon.com, Inc.) [Hyperscaler] \u00b7 Jurisdiction: DE\n\u2192 [LOW] SCHEDULE_RESCAN: Large dormant cluster \u2014 may be staging infrastructure\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-b120604a\nNodes: 3\nBehavior: MIXED\nASN: AS272809 \u2014 THUNDERNET, C.A.\nCountry: VE\nMobility: Fixed infrastructure\nLocation: 10.487\u00b0, -66.874\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS272809 \u2014 THUNDERNET, C.A. (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS272809 (THUNDERNET, C.A.) \u00b7 Jurisdiction: VE\n\u2192 Awaiting sufficient data\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-cf233f95\nNodes: 7\nBehavior: MIXED\nASN: AS4134 \u2014 CHINANET Guangdong province network\nCountry: CN\nMobility: Fixed infrastructure\nLocation: 34.773\u00b0, 113.722\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS4134 \u2014 CHINANET Guangdong province network (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS4134 (CHINANET Guangdong province network) \u00b7 Jurisdiction: CN\n\u2192 [LOW] SCHEDULE_RESCAN: Large dormant cluster \u2014 may be staging infrastructure\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-c108ff10\nNodes: 18\nBehavior: MIXED\nASN: AS132203 \u2014 Tencent Building, Kejizhongyi Avenue\nInfra: Hyperscaler (50% conf) \u00b7 4 ASNs\nCountry: SG\nMobility: Fixed infrastructure\nLocation: 1.306\u00b0, 103.838\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS132203 \u2014 Tencent Building, Kejizhongyi Avenue (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS132203 (Tencent Building, Kejizhongyi Avenue) [Hyperscaler] \u00b7 Jurisdiction: SG\n\u2192 [LOW] SCHEDULE_RESCAN: Large dormant cluster \u2014 may be staging infrastructure\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-63954e9e\nNodes: 3\nBehavior: MIXED\nASN: AS198193 \u2014 Amarutu Technology Ltd\nCountry: SC\nMobility: Fixed infrastructure\nLocation: -4.583\u00b0, 55.667\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS198193 \u2014 Amarutu Technology Ltd (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS198193 (Amarutu Technology Ltd) \u00b7 Jurisdiction: SC\n\u2192 Awaiting sufficient data\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-7b3479de\nNodes: 7\nBehavior: MIXED\nASN: AS31863 \u2014 Centrilogic, Inc.\nCountry: US\nMobility: Fixed infrastructure\nLocation: 37.751\u00b0, -97.822\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS31863 \u2014 Centrilogic, Inc. (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS31863 (Centrilogic, Inc.) \u26a0 mixed infra (3 ASNs, 33% confidence) \u00b7 Jurisdiction: US\n\u2192 [LOW] SCHEDULE_RESCAN: Large dormant cluster \u2014 may be staging infrastructure\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-974e5955\nNodes: 3\nBehavior: MIXED\nASN: AS4766 \u2014 Korea Telecom\nInfra: ISP (100% conf)\nCountry: KR\nMobility: Fixed infrastructure\nLocation: 34.571\u00b0, 126.601\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS4766 \u2014 Korea Telecom (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS4766 (Korea Telecom) [ISP] \u00b7 Jurisdiction: KR\n\u2192 Awaiting sufficient data\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-eba7d729\nNodes: 5\nBehavior: MIXED\nASN: AS8075 \u2014 Microsoft Corporation\nInfra: Hyperscaler (100% conf)\nCountry: US\nMobility: Fixed infrastructure\nLocation: 36.669\u00b0, -78.388\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS8075 \u2014 Microsoft Corporation (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS8075 (Microsoft Corporation) [Hyperscaler] \u00b7 Jurisdiction: US\n\u2192 [LOW] SCHEDULE_RESCAN: Large dormant cluster \u2014 may be staging infrastructure\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-66e8dfae\nNodes: 3\nBehavior: MIXED\nASN: AS16509 \u2014 Amazon.com, Inc.\nInfra: Hyperscaler (100% conf)\nCountry: US\nMobility: Fixed infrastructure\nLocation: 39.962\u00b0, -83.006\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS16509 \u2014 Amazon.com, Inc. (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS16509 (Amazon.com, Inc.) [Hyperscaler] \u00b7 Jurisdiction: US\n\u2192 Awaiting sufficient data\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-5c2e3a0a\nNodes: 6\nBehavior: MIXED\nASN: AS41231 \u2014 Canonical Group Limited\nCountry: GB\nMobility: Fixed infrastructure\nLocation: 51.506\u00b0, -0.108\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS41231 \u2014 Canonical Group Limited (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS41231 (Canonical Group Limited) \u00b7 Jurisdiction: GB\n\u2192 [LOW] SCHEDULE_RESCAN: Large dormant cluster \u2014 may be staging infrastructure\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-ded8abbd\nNodes: 3\nBehavior: MIXED\nASN: AS48090 \u2014 Techoff Srv Limited\nCountry: NL\nMobility: Fixed infrastructure\nLocation: 52.376\u00b0, 4.897\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS48090 \u2014 Techoff Srv Limited (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS48090 (Techoff Srv Limited) \u00b7 Jurisdiction: NL\n\u2192 Awaiting sufficient data\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-0c174242\nNodes: 5\nBehavior: MIXED\nASN: AS41920 \u2014 Unmanaged Ltd\nCountry: RO\nMobility: Fixed infrastructure\nLocation: 45.997\u00b0, 24.997\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS41920 \u2014 Unmanaged Ltd (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS41920 (Unmanaged Ltd) \u00b7 Jurisdiction: RO\n\u2192 [LOW] SCHEDULE_RESCAN: Large dormant cluster \u2014 may be staging infrastructure\n\u26ab Quiet\nMEDIUM 50%\nCluster: swarm-b8afacf0\nNodes: 3\nBehavior: MIXED\nASN: AS15694 \u2014 Eurofiber France SAS\nCountry: FR\nMobility: Fixed infrastructure\nLocation: 48.856\u00b0, 2.349\u00b0 \ud83c\udf0d Fly To \ud83d\udd2c AUTOPSY\ud83d\udce6 BUNDLE\n\u23f1 Phase: 0%\nProp: INSUFFICIENT_DATA\n\u26a1 Control Origin: AS15694 \u2014 Eurofiber France SAS (0% \u00b7 cluster-level ASN (no per-event data))\nInsufficient activity for classification \u00b7 Dominant: AS15694 (Eurofiber France SAS) \u00b7 Jurisdiction: FR\n\u2192 Awaiting sufficient data\n[17:17:49]\u26abQuiet \u2014 3 nodes @ 48.86\u00b0,2.35\u00b0 FR \u00b7 AS15694 (Eurofiber France SAS) \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 5 nodes @ 46.00\u00b0,25.00\u00b0 RO \u00b7 AS41920 (Unmanaged Ltd) \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 3 nodes @ 52.38\u00b0,4.90\u00b0 NL \u00b7 AS48090 (Techoff Srv Limited) \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 6 nodes @ 51.51\u00b0,-0.11\u00b0 GB \u00b7 AS41231 (Canonical Group Limited) \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 3 nodes @ 39.96\u00b0,-83.01\u00b0 US \u00b7 AS16509 (Amazon.com, Inc.) [Hyperscaler] \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 5 nodes @ 36.67\u00b0,-78.39\u00b0 US \u00b7 AS8075 (Microsoft Corporation) [Hyperscaler] \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 3 nodes @ 34.57\u00b0,126.60\u00b0 KR \u00b7 AS4766 (Korea Telecom) [ISP] \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 7 nodes @ 37.75\u00b0,-97.82\u00b0 US \u00b7 AS31863 (Centrilogic, Inc.) \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 3 nodes @ -4.58\u00b0,55.67\u00b0 SC \u00b7 AS198193 (Amarutu Technology Ltd) \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 18 nodes @ 1.31\u00b0,103.84\u00b0 SG \u00b7 AS132203 (Tencent Building, Kejizhongyi Avenue) [Hyperscaler] \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 7 nodes @ 34.77\u00b0,113.72\u00b0 CN \u00b7 AS4134 (CHINANET Guangdong province network) \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 3 nodes @ 10.49\u00b0,-66.87\u00b0 VE \u00b7 AS272809 (THUNDERNET, C.A.) \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 13 nodes @ 52.52\u00b0,13.41\u00b0 DE \u00b7 AS16509 (Amazon.com, Inc.) [Hyperscaler] \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 3 nodes @ -6.82\u00b0,39.29\u00b0 TZ \u00b7 AS328436 (Flashnet-Technologies-Limited) \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 15 nodes @ 39.05\u00b0,-77.49\u00b0 US \u00b7 AS14618 (Amazon.com, Inc.) [Hyperscaler] \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 7 nodes @ 41.88\u00b0,-87.63\u00b0 US \u00b7 AS31377 (Akamai Connected Cloud) [Edge CDN] \u00b7 threat 50%\n[17:17:49]\u26abQuiet \u2014 19 nodes @ -6.21\u00b0,106.84\u00b0 ID \u00b7 AS6389 (Amazon.com, Inc.) [Hyperscaler] \u00b7 threat 50%<\/code><\/pre>\n\n\n\n
Nodes\nKind\tID\tLabels\tPosition\nasn\tasn:206264\tasn=206,264, org=Amarutu Technology Ltd\t\nasn\tasn:138421\tasn=138,421, org=China Unicom\t\nasn\tasn:200780\tasn=200,780, org=Eurofiber France SAS\t\nasn\tasn:398722\tasn=398,722, org=Censys, Inc.\t\nasn\tasn:48090\tasn=48,090, org=Techoff Srv Limited\t\nasn\tasn:8075\tasn=8,075, org=Microsoft Corporation\t\nasn\tasn:202306\tasn=202,306, org=Hostglobal.plus Ltd\t\nasn\tasn:134763\tasn=134,763, org=CHINANET Guangdong province network\t\nasn\tasn:328436\tasn=328,436, org=Flashnet-Technologies-Limited\t\nasn\tasn:47890\tasn=47,890, org=Unmanaged Ltd\t\nasn\tasn:16509\tasn=16,509, org=Amazon.com, Inc.\t\nasn\tasn:14618\tasn=14,618, org=Amazon.com, Inc.\t\nasn\tasn:4766\tasn=4,766, org=Korea Telecom\t\nasn\tasn:272809\tasn=272,809, org=THUNDERNET, C.A.\t\nasn\tasn:31863\tasn=31,863, org=Centrilogic, Inc.\t\nasn\tasn:41231\tasn=41,231, org=Canonical Group Limited\t\nasn\tasn:138915\tasn=138,915, org=Kaopu Cloud HK Limited\t\nasn\tasn:132203\tasn=132,203, org=Tencent Building, Kejizhongyi Avenue\t\nasn\tasn:63949\tasn=63,949, org=Akamai Connected Cloud\t\nbehavior_group\tBSG-DATA_EXFIL-c9d90f130d90\tbehavior=DATA_EXFIL, confidence=0.65, detection_rationale=total_bytes=38745; high_rate (133603 B\/s), dst_ip=, member_count=1, src_ip=40.77.167.4, summary=Exfil suspect: 40.77.167.4 \u2192 1 destinations, 38,745B total, max 38,745B\/session, total_bytes=38,745, total_packets=57, unique_hosts=1, unique_ports=0\t\nbehavior_group\tBSG-BEACON-f6c2b3d0e42d\tbehavior=BEACON, confidence=0.75, detection_rationale=byte_cv=0.07 (\u22640.6); count=19, dst_ip=172.232.0.17, dst_port=53, interval_cv=1.411, mean_interval=1,200, member_count=19, src_ip=172.234.197.23, summary=Beacon: 172.234.197.23 \u2192 172.232.0.17:53, 19 sessions, interval CV=1.41, mean 291B, total_bytes=5,535, total_packets=38, unique_hosts=0, unique_ports=0\t\nbehavior_group\tBSG-BEACON-a8a8c3c8a37f\tbehavior=BEACON, confidence=0.9, detection_rationale=timing_cv=0.00 (\u22640.5); byte_cv=0.00 (\u22640.6), dst_ip=172.234.197.23, dst_port=0, interval_cv=0, mean_interval=7,200, member_count=3, src_ip=103.155.16.117, summary=Beacon: 103.155.16.117 \u2192 172.234.197.23:0, 3 sessions, interval CV=0.00, mean 84B, total_bytes=252, total_packets=6, unique_hosts=0, unique_ports=0\t\nbehavior_group\tBSG-DATA_EXFIL-248342848c58\tbehavior=DATA_EXFIL, confidence=0.5, detection_rationale=total_bytes=15470, dst_ip=, member_count=1, src_ip=91.227.37.60, summary=Exfil suspect: 91.227.37.60 \u2192 1 destinations, 15,470B total, max 15,470B\/session, total_bytes=15,470, total_packets=36, unique_hosts=1, unique_ports=0\t\nbehavior_group\tBSG-DATA_EXFIL-93085dcb8f6d\tbehavior=DATA_EXFIL, confidence=0.5, detection_rationale=total_bytes=36871, dst_ip=, member_count=1, src_ip=172.234.197.23, summary=Exfil suspect: 172.234.197.23 \u2192 1 destinations, 36,871B total, max 36,871B\/session, total_bytes=36,871, total_packets=50, unique_hosts=1, unique_ports=0\t\nbehavior_group\tBSG-DATA_EXFIL-cab357e760c3\tbehavior=DATA_EXFIL, confidence=0.65, detection_rationale=total_bytes=32958; high_rate (183100 B\/s), dst_ip=, member_count=1, src_ip=172.236.119.165, summary=Exfil suspect: 172.236.119.165 \u2192 1 destinations, 32,958B total, max 32,958B\/session, total_bytes=32,958, total_packets=38, unique_hosts=1, unique_ports=0\t\nbehavior_group\tBSG-DATA_EXFIL-b6d7f24ac366\tbehavior=DATA_EXFIL, confidence=0.5, detection_rationale=total_bytes=24897, dst_ip=, member_count=1, src_ip=40.77.167.27, summary=Exfil suspect: 40.77.167.27 \u2192 1 destinations, 24,897B total, max 24,897B\/session, total_bytes=24,897, total_packets=47, unique_hosts=1, unique_ports=0\t\ndns_name\tdns:api.snapcraft.io\tanswer_count=4, qname=api.snapcraft.io\t\ndns_name\tdns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\tanswer_count=0, qname=172-234-197-23.ip.linodeusercontent.com.members.linode.com\t\ndns_name\tdns:172-234-197-23.ip.linodeusercontent.com\tanswer_count=0, qname=172-234-197-23.ip.linodeusercontent.com\t\nflow\tflow:a4dceb0b502c\tbytes=238, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:1914bb7cc20f\tbytes=1,228, dst_ip=172.234.197.23, dst_port=80, pkts=10, proto=tcp, src_ip=14.17.85.204\t\nflow\tflow:b4f49eacb030\tbytes=282, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:67de7fac861b\tbytes=282, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:02ba1d809494\tbytes=84, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=103.155.16.117\t\nflow\tflow:3b21f9ede7cb\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=108.137.123.21\t\nflow\tflow:d55b3af6cdbc\tbytes=228, dst_ip=172.234.197.23, dst_port=443, pkts=4, proto=tcp, src_ip=102.69.167.14\t\nflow\tflow:e67e9c201483\tbytes=148, dst_ip=172.234.197.23, dst_port=23, pkts=2, proto=tcp, src_ip=82.86.130.0\t\nflow\tflow:ea0949f415db\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=108.136.246.109\t\nflow\tflow:4501038c119d\tbytes=1,353, dst_ip=172.234.197.23, dst_port=80, pkts=10, proto=tcp, src_ip=3.220.15.173\t\nflow\tflow:8914df23a392\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=16.79.76.70\t\nflow\tflow:c79e28885a99\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=51.224.53.243\t\nflow\tflow:729bae75cfd4\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=51.224.16.78\t\nflow\tflow:8089546c59de\tbytes=282, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:c4b1d3f380b6\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=16.79.76.70\t\nflow\tflow:18ab509ee72d\tbytes=4,957, dst_ip=172.234.197.23, dst_port=22, pkts=25, proto=tcp, src_ip=221.156.137.102\t\nflow\tflow:a4f2cd6ce2f7\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=13.229.125.1\t\nflow\tflow:fd30f5960ad1\tbytes=5,239, dst_ip=172.234.197.23, dst_port=443, pkts=23, proto=tcp, src_ip=54.227.57.227\t\nflow\tflow:cf8bff248bec\tbytes=282, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:40d85800a99d\tbytes=282, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:c704ad95df18\tbytes=84, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=103.155.16.117\t\nflow\tflow:02b1e8c8b192\tbytes=84, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=103.155.16.117\t\nflow\tflow:daf8c45d27ff\tbytes=5,981, dst_ip=172.234.197.23, dst_port=22, pkts=25, proto=tcp, src_ip=45.148.10.121\t\nflow\tflow:f7a277f9998b\tbytes=697, dst_ip=172.234.197.23, dst_port=21, pkts=10, proto=tcp, src_ip=3.143.162.210\t\nflow\tflow:c7fc0633636d\tbytes=162, dst_ip=172.234.197.23, dst_port=443, pkts=3, proto=tcp, src_ip=40.77.167.4\t\nflow\tflow:415bdf268435\tbytes=282, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:a54692a6979d\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=51.224.129.180\t\nflow\tflow:7ac69d00b687\tbytes=313, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:a4bc84010efc\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=108.136.195.128\t\nflow\tflow:da8d91463c3d\tbytes=148, dst_ip=172.234.197.23, dst_port=2,002, pkts=2, proto=tcp, src_ip=199.45.155.73\t\nflow\tflow:a0f73d4e1f2a\tbytes=313, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:a697fcd98900\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=54.226.218.70\t\nflow\tflow:81d4435dcab9\tbytes=24,897, dst_ip=172.234.197.23, dst_port=443, pkts=47, proto=tcp, src_ip=40.77.167.27\t\nflow\tflow:484583ddd05a\tbytes=313, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:83a5cffc6703\tbytes=36,871, dst_ip=185.125.188.57, dst_port=443, pkts=50, proto=tcp, src_ip=172.234.197.23\t\nflow\tflow:3a5125854ad8\tbytes=32,958, dst_ip=172.234.197.23, dst_port=443, pkts=38, proto=tcp, src_ip=172.236.119.165\t\nflow\tflow:c8c5a6720f95\tbytes=1,522, dst_ip=172.234.197.23, dst_port=80, pkts=12, proto=tcp, src_ip=78.153.140.149\t\nflow\tflow:696377210741\tbytes=1,248, dst_ip=172.234.197.23, dst_port=80, pkts=10, proto=tcp, src_ip=43.173.132.115\t\nflow\tflow:d660fa8ff9b1\tbytes=172, dst_ip=92.118.39.236, dst_port=46,006, pkts=2, proto=tcp, src_ip=172.234.197.23\t\nflow\tflow:f56c5e5e9322\tbytes=100, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=103.220.165.12\t\nflow\tflow:0433b793a6a9\tbytes=6,689, dst_ip=172.234.197.23, dst_port=443, pkts=27, proto=tcp, src_ip=14.152.83.244\t\nflow\tflow:70c428feea0e\tbytes=282, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:441658b54583\tbytes=6,477, dst_ip=172.234.197.23, dst_port=443, pkts=23, proto=tcp, src_ip=43.173.132.82\t\nflow\tflow:88adc449314f\tbytes=313, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:d71d4a109401\tbytes=6,416, dst_ip=172.234.197.23, dst_port=443, pkts=22, proto=tcp, src_ip=43.173.187.143\t\nflow\tflow:fb0a88ae25c4\tbytes=15,470, dst_ip=172.234.197.23, dst_port=443, pkts=36, proto=tcp, src_ip=91.227.37.60\t\nflow\tflow:d7d8a1790678\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=51.224.123.234\t\nflow\tflow:ef50ec85480c\tbytes=166, dst_ip=172.234.197.23, dst_port=80, pkts=3, proto=tcp, src_ip=5.61.209.107\t\nflow\tflow:cbf075d8966a\tbytes=6,406, dst_ip=172.234.197.23, dst_port=22, pkts=36, proto=tcp, src_ip=92.118.39.196\t\nflow\tflow:5f0f49123cd7\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=108.137.154.183\t\nflow\tflow:f2155c27e443\tbytes=1,308, dst_ip=172.234.197.23, dst_port=80, pkts=10, proto=tcp, src_ip=78.153.140.149\t\nflow\tflow:143398f9d784\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=13.216.252.177\t\nflow\tflow:dd59f847be17\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=108.137.71.172\t\nflow\tflow:9177236cf88d\tbytes=1,321, dst_ip=172.234.197.23, dst_port=80, pkts=7, proto=tcp, src_ip=5.61.209.107\t\nflow\tflow:4ddbe4acc504\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=32.195.50.176\t\nflow\tflow:d9cdb794d862\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=51.224.214.156\t\nflow\tflow:347478b466ec\tbytes=6,622, dst_ip=172.234.197.23, dst_port=443, pkts=25, proto=tcp, src_ip=14.17.85.204\t\nflow\tflow:670bf8372bed\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=108.136.195.128\t\nflow\tflow:c853014c7a67\tbytes=282, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:3b056e5c7d7c\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=108.136.231.22\t\nflow\tflow:7027314e9f62\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=54.237.9.199\t\nflow\tflow:481bc4d957af\tbytes=172, dst_ip=92.118.39.236, dst_port=46,006, pkts=2, proto=tcp, src_ip=172.234.197.23\t\nflow\tflow:a17816cafef4\tbytes=5,320, dst_ip=172.234.197.23, dst_port=443, pkts=10, proto=tcp, src_ip=43.172.194.114\t\nflow\tflow:27bcaa9bf1c4\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=13.250.21.18\t\nflow\tflow:6bb1f29d53ff\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=3.234.246.186\t\nflow\tflow:5c0f3e09f588\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=108.136.231.22\t\nflow\tflow:1ef937ba29a6\tbytes=148, dst_ip=172.234.197.23, dst_port=443, pkts=2, proto=tcp, src_ip=43.172.194.114\t\nflow\tflow:9bafda49b279\tbytes=108, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=172.98.199.111\t\nflow\tflow:449957d41315\tbytes=286, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:84372b4c9378\tbytes=313, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:bcd27756aa40\tbytes=38,745, dst_ip=172.234.197.23, dst_port=443, pkts=57, proto=tcp, src_ip=40.77.167.4\t\nflow\tflow:1507855d0ab9\tbytes=313, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:a34856d5d292\tbytes=148, dst_ip=172.234.197.23, dst_port=2,002, pkts=2, proto=tcp, src_ip=199.45.155.73\t\nflow\tflow:0f6e4fea1ebd\tbytes=313, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:7823764fbd64\tbytes=282, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\nflow\tflow:8c9867a7b467\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=108.136.220.138\t\nflow\tflow:d2aa3d958328\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=18.138.243.16\t\nflow\tflow:4e35f51811d2\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=16.78.103.11\t\nflow\tflow:e0e919fe14b3\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=51.224.145.152\t\nflow\tflow:18c0bf5b5d25\tbytes=164, dst_ip=172.234.197.23, dst_port=0, pkts=2, proto=icmp, src_ip=44.203.55.60\t\nflow\tflow:c55c01d60832\tbytes=282, dst_ip=172.232.0.17, dst_port=53, pkts=2, proto=udp, src_ip=172.234.197.23\t\ngeo_point\tgeo_36.66940_-78.38770\tcity=Boydton, country=US\t[36.6694, -78.3877, 0.0000] \ud83c\udf10\ngeo_point\tgeo_52.37590_4.89750\tcity=Amsterdam, country=NL\t[52.3759, 4.8975, 0.0000] \ud83c\udf10\ngeo_point\tgeo_-6.21140_106.84460\tcity=Jakarta, country=ID\t[-6.2114, 106.8446, 0.0000] \ud83c\udf10\ngeo_point\tgeo_41.88350_-87.63050\tcity=Chicago, country=US\t[41.8835, -87.6305, 0.0000] \ud83c\udf10\ngeo_point\tgeo_10.48730_-66.87380\tcity=Caracas, country=VE\t[10.4873, -66.8738, 0.0000] \ud83c\udf10\ngeo_point\tgeo_39.96250_-83.00610\tcity=Columbus, country=US\t[39.9625, -83.0061, 0.0000] \ud83c\udf10\ngeo_point\tgeo_45.99680_24.99700\tcity=, country=RO\t[45.9968, 24.9970, 0.0000] \ud83c\udf10\ngeo_point\tgeo_39.04690_-77.49030\tcity=Ashburn, country=US\t[39.0469, -77.4903, 0.0000] \ud83c\udf10\ngeo_point\tgeo_-4.58330_55.66670\tcity=, country=SC\t[-4.5833, 55.6667, 0.0000] \ud83c\udf10\ngeo_point\tgeo_51.51640_-0.09300\tcity=City of London, country=GB\t[51.5164, -0.0930, 0.0000] \ud83c\udf10\ngeo_point\tgeo_52.51960_13.40690\tcity=Berlin, country=DE\t[52.5196, 13.4069, 0.0000] \ud83c\udf10\ngeo_point\tgeo_1.29390_103.84610\tcity=Singapore, country=SG\t[1.2939, 103.8461, 0.0000] \ud83c\udf10\ngeo_point\tgeo_34.77320_113.72200\tcity=, country=CN\t[34.7732, 113.7220, 0.0000] \ud83c\udf10\ngeo_point\tgeo_-6.82270_39.29100\tcity=, country=TZ\t[-6.8227, 39.2910, 0.0000] \ud83c\udf10\ngeo_point\tgeo_34.57110_126.60100\tcity=Haenam-gun, country=KR\t[34.5711, 126.6010, 0.0000] \ud83c\udf10\ngeo_point\tgeo_37.75100_-97.82200\tcity=, country=US\t[37.7510, -97.8220, 0.0000] \ud83c\udf10\ngeo_point\tgeo_51.49640_-0.12240\tcity=, country=GB\t[51.4964, -0.1224, 0.0000] \ud83c\udf10\ngeo_point\tgeo_48.85580_2.34940\tcity=Paris, country=FR\t[48.8558, 2.3494, 0.0000] \ud83c\udf10\ngeo_point\tgeo_1.36670_103.80000\tcity=, country=SG\t[1.3667, 103.8000, 0.0000] \ud83c\udf10\nhost\thost:3.234.246.186\tbytes=164, city=Ashburn, country=US, ip=3.234.246.186, org=Amazon.com, Inc.\t[39.0469, -77.4903, 0.0000] \ud83c\udf10\nhost\thost:32.195.50.176\tbytes=164, city=, country=US, ip=32.195.50.176, org=\t[37.7510, -97.8220, 0.0000] \ud83c\udf10\nhost\thost:18.138.243.16\tbytes=164, city=Singapore, country=SG, ip=18.138.243.16, org=Amazon.com, Inc.\t[1.2939, 103.8461, 0.0000] \ud83c\udf10\nhost\thost:108.136.220.138\tbytes=164, city=Jakarta, country=ID, ip=108.136.220.138, org=Amazon.com, Inc.\t[-6.2114, 106.8446, 0.0000] \ud83c\udf10\nhost\thost:199.45.155.73\tbytes=148, city=, country=US, ip=199.45.155.73, org=Censys, Inc.\t[37.7510, -97.8220, 0.0000] \ud83c\udf10\nhost\thost:172.232.0.17\tbytes=282, city=Chicago, country=US, ip=172.232.0.17, org=Akamai Connected Cloud\t[41.8835, -87.6305, 0.0000] \ud83c\udf10\nhost\thost:43.173.132.82\tbytes=6,477, city=Singapore, country=SG, ip=43.173.132.82, org=Tencent Building, Kejizhongyi Avenue\t[1.2939, 103.8461, 0.0000] \ud83c\udf10\nhost\thost:103.220.165.12\tbytes=100, city=, country=CN, ip=103.220.165.12, org=China Unicom\t[34.7732, 113.7220, 0.0000] \ud83c\udf10\nhost\thost:54.226.218.70\tbytes=164, city=Ashburn, country=US, ip=54.226.218.70, org=Amazon.com, Inc.\t[39.0469, -77.4903, 0.0000] \ud83c\udf10\nhost\thost:13.250.21.18\tbytes=164, city=Singapore, country=SG, ip=13.250.21.18, org=Amazon.com, Inc.\t[1.2939, 103.8461, 0.0000] \ud83c\udf10\nhost\thost:40.77.167.4\tbytes=38,745, city=Boydton, country=US, ip=40.77.167.4, org=Microsoft Corporation\t[36.6694, -78.3877, 0.0000] \ud83c\udf10\nhost\thost:51.224.53.243\tbytes=164, city=Berlin, country=DE, ip=51.224.53.243, org=Amazon.com, Inc.\t[52.5196, 13.4069, 0.0000] \ud83c\udf10\nhost\thost:54.227.57.227\tbytes=5,239, city=Ashburn, country=US, ip=54.227.57.227, org=Amazon.com, Inc.\t[39.0469, -77.4903, 0.0000] \ud83c\udf10\nhost\thost:13.229.125.1\tbytes=164, city=Singapore, country=SG, ip=13.229.125.1, org=Amazon.com, Inc.\t[1.2939, 103.8461, 0.0000] \ud83c\udf10\nhost\thost:14.152.83.244\tbytes=6,689, city=, country=CN, ip=14.152.83.244, org=CHINANET Guangdong province network\t[34.7732, 113.7220, 0.0000] \ud83c\udf10\nhost\thost:51.224.16.78\tbytes=164, city=Berlin, country=DE, ip=51.224.16.78, org=Amazon.com, Inc.\t[52.5196, 13.4069, 0.0000] \ud83c\udf10\nhost\thost:185.125.188.57\tbytes=36,871, city=, country=GB, ip=185.125.188.57, org=Canonical Group Limited\t[51.4964, -0.1224, 0.0000] \ud83c\udf10\nhost\thost:44.203.55.60\tbytes=164, city=Ashburn, country=US, ip=44.203.55.60, org=Amazon.com, Inc.\t[39.0469, -77.4903, 0.0000] \ud83c\udf10\nhost\thost:13.216.252.177\tbytes=164, city=Ashburn, country=US, ip=13.216.252.177, org=Amazon.com, Inc.\t[39.0469, -77.4903, 0.0000] \ud83c\udf10\nhost\thost:51.224.214.156\tbytes=164, city=Berlin, country=DE, ip=51.224.214.156, org=Amazon.com, Inc.\t[52.5196, 13.4069, 0.0000] \ud83c\udf10\nhost\thost:91.227.37.60\tbytes=15,470, city=Paris, country=FR, ip=91.227.37.60, org=Eurofiber France SAS\t[48.8558, 2.3494, 0.0000] \ud83c\udf10\nhost\thost:54.237.9.199\tbytes=164, city=Ashburn, country=US, ip=54.237.9.199, org=Amazon.com, Inc.\t[39.0469, -77.4903, 0.0000] \ud83c\udf10\nhost\thost:92.118.39.196\tbytes=6,406, city=, country=RO, ip=92.118.39.196, org=Unmanaged Ltd\t[45.9968, 24.9970, 0.0000] \ud83c\udf10\nhost\thost:108.137.123.21\tbytes=164, city=Jakarta, country=ID, ip=108.137.123.21, org=Amazon.com, Inc.\t[-6.2114, 106.8446, 0.0000] \ud83c\udf10\nhost\thost:221.156.137.102\tbytes=4,957, city=Haenam-gun, country=KR, ip=221.156.137.102, org=Korea Telecom\t[34.5711, 126.6010, 0.0000] \ud83c\udf10\nhost\thost:51.224.145.152\tbytes=164, city=Berlin, country=DE, ip=51.224.145.152, org=Amazon.com, Inc.\t[52.5196, 13.4069, 0.0000] \ud83c\udf10\nhost\thost:172.234.197.23\tbytes=164, city=Chicago, country=US, ip=172.234.197.23, org=Akamai Connected Cloud\t[41.8835, -87.6305, 0.0000] \ud83c\udf10\nhost\thost:5.61.209.107\tbytes=1,321, city=, country=SC, ip=5.61.209.107, org=Amarutu Technology Ltd\t[-4.5833, 55.6667, 0.0000] \ud83c\udf10\nhost\thost:78.153.140.149\tbytes=1,522, city=City of London, country=GB, ip=78.153.140.149, org=Hostglobal.plus Ltd\t[51.5164, -0.0930, 0.0000] \ud83c\udf10\nhost\thost:51.224.123.234\tbytes=164, city=Berlin, country=DE, ip=51.224.123.234, org=Amazon.com, Inc.\t[52.5196, 13.4069, 0.0000] \ud83c\udf10\nhost\thost:16.79.76.70\tbytes=164, city=Jakarta, country=ID, ip=16.79.76.70, org=Amazon.com, Inc.\t[-6.2114, 106.8446, 0.0000] \ud83c\udf10\nhost\thost:3.143.162.210\tbytes=697, city=Columbus, country=US, ip=3.143.162.210, org=Amazon.com, Inc.\t[39.9625, -83.0061, 0.0000] \ud83c\udf10\nhost\thost:43.173.132.115\tbytes=1,248, city=Singapore, country=SG, ip=43.173.132.115, org=Tencent Building, Kejizhongyi Avenue\t[1.2939, 103.8461, 0.0000] \ud83c\udf10\nhost\thost:102.69.167.14\tbytes=228, city=, country=TZ, ip=102.69.167.14, org=Flashnet-Technologies-Limited\t[-6.8227, 39.2910, 0.0000] \ud83c\udf10\nhost\thost:82.86.130.0\tbytes=148, city=Caracas, country=VE, ip=82.86.130.0, org=THUNDERNET, C.A.\t[10.4873, -66.8738, 0.0000] \ud83c\udf10\nhost\thost:108.136.195.128\tbytes=164, city=Jakarta, country=ID, ip=108.136.195.128, org=Amazon.com, Inc.\t[-6.2114, 106.8446, 0.0000] \ud83c\udf10\nhost\thost:45.148.10.121\tbytes=5,981, city=Amsterdam, country=NL, ip=45.148.10.121, org=Techoff Srv Limited\t[52.3759, 4.8975, 0.0000] \ud83c\udf10\nhost\thost:172.236.119.165\tbytes=32,958, city=Chicago, country=US, ip=172.236.119.165, org=Akamai Connected Cloud\t[41.8835, -87.6305, 0.0000] \ud83c\udf10\nhost\thost:92.118.39.236\tbytes=172, city=, country=RO, ip=92.118.39.236, org=Unmanaged Ltd\t[45.9968, 24.9970, 0.0000] \ud83c\udf10\nhost\thost:3.220.15.173\tbytes=1,353, city=Ashburn, country=US, ip=3.220.15.173, org=Amazon.com, Inc.\t[39.0469, -77.4903, 0.0000] \ud83c\udf10\nhost\thost:51.224.129.180\tbytes=164, city=Berlin, country=DE, ip=51.224.129.180, org=Amazon.com, Inc.\t[52.5196, 13.4069, 0.0000] \ud83c\udf10\nhost\thost:40.77.167.27\tbytes=24,897, city=Boydton, country=US, ip=40.77.167.27, org=Microsoft Corporation\t[36.6694, -78.3877, 0.0000] \ud83c\udf10\nhost\thost:172.98.199.111\tbytes=108, city=, country=US, ip=172.98.199.111, org=Centrilogic, Inc.\t[37.7510, -97.8220, 0.0000] \ud83c\udf10\nhost\thost:103.155.16.117\tbytes=84, city=Singapore, country=SG, ip=103.155.16.117, org=Kaopu Cloud HK Limited\t[1.2939, 103.8461, 0.0000] \ud83c\udf10\nhost\thost:16.78.103.11\tbytes=164, city=Jakarta, country=ID, ip=16.78.103.11, org=Amazon.com, Inc.\t[-6.2114, 106.8446, 0.0000] \ud83c\udf10\nhost\thost:108.137.71.172\tbytes=164, city=Jakarta, country=ID, ip=108.137.71.172, org=Amazon.com, Inc.\t[-6.2114, 106.8446, 0.0000] \ud83c\udf10\nhost\thost:14.17.85.204\tbytes=1,228, city=, country=CN, ip=14.17.85.204, org=CHINANET Guangdong province network\t[34.7732, 113.7220, 0.0000] \ud83c\udf10\nhost\thost:108.136.231.22\tbytes=164, city=Jakarta, country=ID, ip=108.136.231.22, org=Amazon.com, Inc.\t[-6.2114, 106.8446, 0.0000] \ud83c\udf10\nhost\thost:43.173.187.143\tbytes=6,416, city=Singapore, country=SG, ip=43.173.187.143, org=Tencent Building, Kejizhongyi Avenue\t[1.2939, 103.8461, 0.0000] \ud83c\udf10\nhost\thost:43.172.194.114\tbytes=148, city=, country=SG, ip=43.172.194.114, org=Tencent Building, Kejizhongyi Avenue\t[1.3667, 103.8000, 0.0000] \ud83c\udf10\nhost\thost:108.137.154.183\tbytes=164, city=Jakarta, country=ID, ip=108.137.154.183, org=Amazon.com, Inc.\t[-6.2114, 106.8446, 0.0000] \ud83c\udf10\nhost\thost:108.136.246.109\tbytes=164, city=Jakarta, country=ID, ip=108.136.246.109, org=Amazon.com, Inc.\t[-6.2114, 106.8446, 0.0000] \ud83c\udf10\nhttp_host\thttp_host:172.234.197.23\thost=172.234.197.23\t\nhttp_host\thttp_host:172.234.197.23:80\thost=172.234.197.23:80\t\nhttp_host\thttp_host:172-234-197-23.ip.linodeusercontent.com\thost=172-234-197-23.ip.linodeusercontent.com\t\norg\torg:Centrilogic, Inc.\tname=Centrilogic, Inc.\t\norg\torg:THUNDERNET, C.A.\tname=THUNDERNET, C.A.\t\norg\torg:Amarutu Technology Ltd\tname=Amarutu Technology Ltd\t\norg\torg:CHINANET Guangdong province network\tname=CHINANET Guangdong province network\t\norg\torg:Kaopu Cloud HK Limited\tname=Kaopu Cloud HK Limited\t\norg\torg:Unmanaged Ltd\tname=Unmanaged Ltd\t\norg\torg:Microsoft Corporation\tname=Microsoft Corporation\t\norg\torg:Hostglobal.plus Ltd\tname=Hostglobal.plus Ltd\t\norg\torg:Censys, Inc.\tname=Censys, Inc.\t\norg\torg:Tencent Building, Kejizhongyi Avenue\tname=Tencent Building, Kejizhongyi Avenue\t\norg\torg:Canonical Group Limited\tname=Canonical Group Limited\t\norg\torg:Korea Telecom\tname=Korea Telecom\t\norg\torg:Akamai Connected Cloud\tname=Akamai Connected Cloud\t\norg\torg:Amazon.com, Inc.\tname=Amazon.com, Inc.\t\norg\torg:Eurofiber France SAS\tname=Eurofiber France SAS\t\norg\torg:China Unicom\tname=China Unicom\t\norg\torg:Techoff Srv Limited\tname=Techoff Srv Limited\t\norg\torg:Flashnet-Technologies-Limited\tname=Flashnet-Technologies-Limited\t\npcap_artifact\tPCAP:capture_20260505160001:6505a8988bcf\tfile_size=4,477, filename=capture_20260505160001.pcap, ingested_at=2026-05-05T21:55:37.029054+00:00\t\npcap_artifact\tPCAP:capture_20260505150001:90690819257f\tfile_size=10,557, filename=capture_20260505150001.pcap, ingested_at=2026-05-05T21:55:33.475737+00:00\t\npcap_artifact\tPCAP:capture_20260505180001:aab19cafbf97\tfile_size=7,550, filename=capture_20260505180001.pcap, ingested_at=2026-05-05T21:55:43.115368+00:00\t\npcap_artifact\tPCAP:capture_20260505190001:a68bf0af3b16\tfile_size=72,787, filename=capture_20260505190001.pcap, ingested_at=2026-05-05T21:55:44.814813+00:00\t\npcap_artifact\tPCAP:capture_20260505170001:ca2a90108bf2\tfile_size=39,107, filename=capture_20260505170001.pcap, ingested_at=2026-05-05T21:55:39.443855+00:00\t\npcap_artifact\tPCAP:capture_20260505210001:fe9b7b09d76a\tfile_size=62,137, filename=capture_20260505210001.pcap, ingested_at=2026-05-05T21:55:49.230892+00:00\t\npcap_artifact\tPCAP:capture_20260505200001:d502e7eabbdd\tfile_size=42,048, filename=capture_20260505200001.pcap, ingested_at=2026-05-05T21:55:47.191258+00:00\t\nport_hub\tport:tcp:80\tport=80, proto=tcp\t\nport_hub\tport:tcp:2002\tport=2,002, proto=tcp\t\nport_hub\tport:tcp:22\tport=22, proto=tcp\t\nport_hub\tport:udp:53\tport=53, proto=udp\t\nport_hub\tport:tcp:443\tport=443, proto=tcp\t\nport_hub\tport:tcp:21\tport=21, proto=tcp\t\nport_hub\tport:tcp:23\tport=23, proto=tcp\t\nport_hub\tport:tcp:46006\tport=46,006, proto=tcp\t\nprotocol_event\tpe:syn:SESSION-432ab8a16199cf6c\tcount=2, event_type=TCP_SYN, session=SESSION-432ab8a16199cf6c\t\nprotocol_event\tpe:syn:SESSION-112a52c8741e1f24\tcount=2, event_type=TCP_SYN, session=SESSION-112a52c8741e1f24\t\nprotocol_event\tpe:dns:SESSION-402c59976f95ccac\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-402c59976f95ccac\t\nprotocol_event\tpe:syn:SESSION-5d116249fba5ef1a\tcount=2, event_type=TCP_SYN, session=SESSION-5d116249fba5ef1a\t\nprotocol_event\tpe:rst:SESSION-5b835c6ebb995a7d\tcount=1, event_type=TCP_RST, session=SESSION-5b835c6ebb995a7d\t\nprotocol_event\tpe:tls:SESSION-afdbc113425d69ae\tevent_type=TLS_SESSION, packet_count=36, session=SESSION-afdbc113425d69ae\t\nprotocol_event\tpe:dns:SESSION-b6b6a46eb2435b2c\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-b6b6a46eb2435b2c\t\nprotocol_event\tpe:dns:SESSION-93e42c11b9b89aaf\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-93e42c11b9b89aaf\t\nprotocol_event\tpe:rst:SESSION-432ab8a16199cf6c\tcount=1, event_type=TCP_RST, session=SESSION-432ab8a16199cf6c\t\nprotocol_event\tpe:syn:SESSION-901a03ef18d43905\tcount=2, event_type=TCP_SYN, session=SESSION-901a03ef18d43905\t\nprotocol_event\tpe:syn:SESSION-859dff0703adcd19\tcount=2, event_type=TCP_SYN, session=SESSION-859dff0703adcd19\t\nprotocol_event\tpe:tls:SESSION-f439a23db4014944\tevent_type=TLS_SESSION, packet_count=25, session=SESSION-f439a23db4014944\t\nprotocol_event\tpe:dns:SESSION-08dd2a06bab4a852\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-08dd2a06bab4a852\t\nprotocol_event\tpe:dns:SESSION-9d04f6d7b357bacd\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-9d04f6d7b357bacd\t\nprotocol_event\tpe:syn:SESSION-afdbc113425d69ae\tcount=2, event_type=TCP_SYN, session=SESSION-afdbc113425d69ae\t\nprotocol_event\tpe:tls:SESSION-c9df47030e6edeae\tevent_type=TLS_SESSION, packet_count=3, session=SESSION-c9df47030e6edeae\t\nprotocol_event\tpe:syn:SESSION-1164951de921d536\tcount=2, event_type=TCP_SYN, session=SESSION-1164951de921d536\t\nprotocol_event\tpe:dns:SESSION-1d2c12c54a6b8ee9\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-1d2c12c54a6b8ee9\t\nprotocol_event\tpe:tls:SESSION-5d116249fba5ef1a\tevent_type=TLS_SESSION, packet_count=27, session=SESSION-5d116249fba5ef1a\t\nprotocol_event\tpe:syn:SESSION-989e93673dd1c7a6\tcount=2, event_type=TCP_SYN, session=SESSION-989e93673dd1c7a6\t\nprotocol_event\tpe:dns:SESSION-ac2fa7388db2f6bf\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-ac2fa7388db2f6bf\t\nprotocol_event\tpe:tls:SESSION-15c7d6c96ae38709\tevent_type=TLS_SESSION, packet_count=10, session=SESSION-15c7d6c96ae38709\t\nprotocol_event\tpe:syn:SESSION-8ead85dcd9724179\tcount=2, event_type=TCP_SYN, session=SESSION-8ead85dcd9724179\t\nprotocol_event\tpe:dns:SESSION-28d60172800a0b5c\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-28d60172800a0b5c\t\nprotocol_event\tpe:syn:SESSION-90d5b2c6338c7815\tcount=2, event_type=TCP_SYN, session=SESSION-90d5b2c6338c7815\t\nprotocol_event\tpe:syn:SESSION-4be2484ef7d205f9\tcount=2, event_type=TCP_SYN, session=SESSION-4be2484ef7d205f9\t\nprotocol_event\tpe:tls:SESSION-1164951de921d536\tevent_type=TLS_SESSION, packet_count=57, session=SESSION-1164951de921d536\t\nprotocol_event\tpe:rst:SESSION-6161ce1063e366a2\tcount=1, event_type=TCP_RST, session=SESSION-6161ce1063e366a2\t\nprotocol_event\tpe:dns:SESSION-cef22d690e31564a\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-cef22d690e31564a\t\nprotocol_event\tpe:dns:SESSION-1e693ff8754b6a4b\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-1e693ff8754b6a4b\t\nprotocol_event\tpe:dns:SESSION-29997713c592805d\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-29997713c592805d\t\nprotocol_event\tpe:dns:SESSION-5ceacf6e3fad521a\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-5ceacf6e3fad521a\t\nprotocol_event\tpe:rst:SESSION-98342a2659e39b9d\tcount=2, event_type=TCP_RST, session=SESSION-98342a2659e39b9d\t\nprotocol_event\tpe:syn:SESSION-c70914c01a4dbe00\tcount=2, event_type=TCP_SYN, session=SESSION-c70914c01a4dbe00\t\nprotocol_event\tpe:dns:SESSION-ba31b8d0bcea573c\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-ba31b8d0bcea573c\t\nprotocol_event\tpe:dns:SESSION-d1d3131167e5d8a7\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-d1d3131167e5d8a7\t\nprotocol_event\tpe:syn:SESSION-061b514c6b7df469\tcount=2, event_type=TCP_SYN, session=SESSION-061b514c6b7df469\t\nprotocol_event\tpe:dns:SESSION-d4533a7174934c47\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-d4533a7174934c47\t\nprotocol_event\tpe:syn:SESSION-f439a23db4014944\tcount=2, event_type=TCP_SYN, session=SESSION-f439a23db4014944\t\nprotocol_event\tpe:tls:SESSION-52ca69764e41f269\tevent_type=TLS_SESSION, packet_count=47, session=SESSION-52ca69764e41f269\t\nprotocol_event\tpe:rst:SESSION-51b92cc6a561b81c\tcount=2, event_type=TCP_RST, session=SESSION-51b92cc6a561b81c\t\nprotocol_event\tpe:syn:SESSION-51b92cc6a561b81c\tcount=2, event_type=TCP_SYN, session=SESSION-51b92cc6a561b81c\t\nprotocol_event\tpe:tls:SESSION-061b514c6b7df469\tevent_type=TLS_SESSION, packet_count=38, session=SESSION-061b514c6b7df469\t\nprotocol_event\tpe:dns:SESSION-56879d86cd26b6ef\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-56879d86cd26b6ef\t\nprotocol_event\tpe:dns:SESSION-6809ae9f3f9de168\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-6809ae9f3f9de168\t\nprotocol_event\tpe:syn:SESSION-548e9314b3086ca9\tcount=2, event_type=TCP_SYN, session=SESSION-548e9314b3086ca9\t\nprotocol_event\tpe:syn:SESSION-e07d35bac2ad33a9\tcount=2, event_type=TCP_SYN, session=SESSION-e07d35bac2ad33a9\t\nprotocol_event\tpe:syn:SESSION-5b835c6ebb995a7d\tcount=2, event_type=TCP_SYN, session=SESSION-5b835c6ebb995a7d\t\nprotocol_event\tpe:rst:SESSION-48538346c6e3fa4e\tcount=1, event_type=TCP_RST, session=SESSION-48538346c6e3fa4e\t\nprotocol_event\tpe:tls:SESSION-8ead85dcd9724179\tevent_type=TLS_SESSION, packet_count=22, session=SESSION-8ead85dcd9724179\t\nprotocol_event\tpe:tls:SESSION-51b92cc6a561b81c\tevent_type=TLS_SESSION, packet_count=23, session=SESSION-51b92cc6a561b81c\t\nprotocol_event\tpe:syn:SESSION-ad1c4ddd91bc1148\tcount=2, event_type=TCP_SYN, session=SESSION-ad1c4ddd91bc1148\t\nprotocol_event\tpe:syn:SESSION-98342a2659e39b9d\tcount=2, event_type=TCP_SYN, session=SESSION-98342a2659e39b9d\t\nprotocol_event\tpe:tls:SESSION-6161ce1063e366a2\tevent_type=TLS_SESSION, packet_count=50, session=SESSION-6161ce1063e366a2\t\nprotocol_event\tpe:syn:SESSION-6161ce1063e366a2\tcount=2, event_type=TCP_SYN, session=SESSION-6161ce1063e366a2\t\nprotocol_event\tpe:syn:SESSION-52ca69764e41f269\tcount=2, event_type=TCP_SYN, session=SESSION-52ca69764e41f269\t\nprotocol_event\tpe:syn:SESSION-b43027ed299d5e94\tcount=2, event_type=TCP_SYN, session=SESSION-b43027ed299d5e94\t\nprotocol_event\tpe:dns:SESSION-6f371d3a9290449b\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-6f371d3a9290449b\t\nprotocol_event\tpe:dns:SESSION-134b659b9f89c977\tevent_type=DNS_EXCHANGE, query_count=2, session=SESSION-134b659b9f89c977\t\nprotocol_event\tpe:syn:SESSION-4561579556c17060\tcount=2, event_type=TCP_SYN, session=SESSION-4561579556c17060\t\nprotocol_event\tpe:tls:SESSION-4561579556c17060\tevent_type=TLS_SESSION, packet_count=23, session=SESSION-4561579556c17060\t\nprotocol_event\tpe:tls:SESSION-98342a2659e39b9d\tevent_type=TLS_SESSION, packet_count=4, session=SESSION-98342a2659e39b9d\t\nprotocol_event\tpe:tls:SESSION-8946fc29c6b46f6d\tevent_type=TLS_SESSION, packet_count=2, session=SESSION-8946fc29c6b46f6d\t\nprotocol_event\tpe:rst:SESSION-8f7048e06d096abe\tcount=1, event_type=TCP_RST, session=SESSION-8f7048e06d096abe\t\nprotocol_event\tpe:syn:SESSION-fb52ff5a15515e30\tcount=2, event_type=TCP_SYN, session=SESSION-fb52ff5a15515e30\t\nprotocol_event\tpe:syn:SESSION-8946fc29c6b46f6d\tcount=2, event_type=TCP_SYN, session=SESSION-8946fc29c6b46f6d\t\nservice\tsvc:ssh\tname=ssh\t\nservice\tsvc:dns\tname=dns\t\nservice\tsvc:http\tname=http\t\nservice\tsvc:https\tname=https\t\nsession\tSESSION-b0bace154ed8e7e1\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,993,249.075, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=103.220.165.12, start_time=1,777,993,249.074, tcp_flags=, time_bucket=1,777,993,230, total_bytes=100, window_sec=30\t\nsession\tSESSION-90b1be10321455be\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,996,844.224, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=172.98.199.111, start_time=1,777,996,844.223, tcp_flags=, time_bucket=1,777,996,830, total_bytes=108, window_sec=30\t\nsession\tSESSION-cef22d690e31564a\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,007,601.844, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=57,746, start_time=1,778,007,601.843, tcp_flags=, time_bucket=1,778,007,600, total_bytes=313, window_sec=30\t\nsession\tSESSION-4be2484ef7d205f9\tdst_ip=172.234.197.23, dst_port=2,002, duration_sec=1.05, end_time=1,778,014,821.047, expected_protocol=unregistered:2002, packet_count=2, proto=TCP, protocol_anomaly_score=0.3, protocol_violations=tcp_syn_only, protocols=TCP, src_ip=199.45.155.73, src_port=45,178, start_time=1,778,014,819.994, tcp_flags=S, time_bucket=1,778,014,800, total_bytes=148, window_sec=30\t\nsession\tSESSION-d4533a7174934c47\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,000,401.24, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=35,286, start_time=1,778,000,401.239, tcp_flags=, time_bucket=1,778,000,400, total_bytes=282, window_sec=30\t\nsession\tSESSION-29997713c592805d\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,014,801.402, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=34,319, start_time=1,778,014,801.4, tcp_flags=, time_bucket=1,778,014,800, total_bytes=313, window_sec=30\t\nsession\tSESSION-52ca69764e41f269\tdst_ip=172.234.197.23, dst_port=443, duration_sec=12.74, end_time=1,778,007,626.356, expected_protocol=https, packet_count=47, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=40.77.167.27, src_port=59,868, start_time=1,778,007,613.617, tcp_flags=A,S,F,P, time_bucket=1,778,007,600, total_bytes=24,897, window_sec=30\t\nsession\tSESSION-fb52ff5a15515e30\tdst_ip=172.234.197.23, dst_port=2,002, duration_sec=1, end_time=1,778,014,819.828, expected_protocol=unregistered:2002, packet_count=2, proto=TCP, protocol_anomaly_score=0.3, protocol_violations=tcp_syn_only, protocols=TCP, src_ip=199.45.155.73, src_port=45,172, start_time=1,778,014,818.824, tcp_flags=S, time_bucket=1,778,014,800, total_bytes=148, window_sec=30\t\nsession\tSESSION-112a52c8741e1f24\tdst_ip=172.234.197.23, dst_port=80, duration_sec=0.21, end_time=1,777,996,855.022, expected_protocol=http, packet_count=7, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=5.61.209.107, src_port=49,978, start_time=1,777,996,854.814, tcp_flags=A,S,P, time_bucket=1,777,996,830, total_bytes=1,321, window_sec=30\t\nsession\tSESSION-0280199fcf3ea167\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,000,435.246, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=32.195.50.176, start_time=1,778,000,435.246, tcp_flags=, time_bucket=1,778,000,430, total_bytes=164, window_sec=30\t\nsession\tSESSION-98342a2659e39b9d\tdst_ip=172.234.197.23, dst_port=443, duration_sec=0.24, end_time=1,777,993,214.403, expected_protocol=https, packet_count=4, proto=TCP, protocol_anomaly_score=0.35, protocol_violations=missing_tls, protocols=TCP, src_ip=102.69.167.14, src_port=52,811, start_time=1,777,993,214.167, tcp_flags=A,S,R, time_bucket=1,777,993,200, total_bytes=228, window_sec=30\t\nsession\tSESSION-901a03ef18d43905\tdst_ip=172.234.197.23, dst_port=80, duration_sec=0.48, end_time=1,778,014,841.738, expected_protocol=http, packet_count=10, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=78.153.140.149, src_port=59,550, start_time=1,778,014,841.261, tcp_flags=A,S,F,P, time_bucket=1,778,014,830, total_bytes=1,308, window_sec=30\t\nsession\tSESSION-432ab8a16199cf6c\tdst_ip=172.234.197.23, dst_port=22, duration_sec=13.94, end_time=1,778,014,816.619, expected_protocol=ssh, packet_count=36, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=92.118.39.196, src_port=55,612, start_time=1,778,014,802.682, tcp_flags=A,S,P,R, time_bucket=1,778,014,800, total_bytes=6,406, window_sec=30\t\nsession\tSESSION-1d2c12c54a6b8ee9\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,007,631.278, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=36,811, start_time=1,778,007,631.277, tcp_flags=, time_bucket=1,778,007,630, total_bytes=286, window_sec=30\t\nsession\tSESSION-5d116249fba5ef1a\tdst_ip=172.234.197.23, dst_port=443, duration_sec=0.87, end_time=1,778,000,450.827, expected_protocol=https, packet_count=27, proto=TCP, protocol_anomaly_score=0.35, protocol_violations=missing_tls, protocols=TCP, src_ip=14.152.83.244, src_port=4,568, start_time=1,778,000,449.952, tcp_flags=A,S,P, time_bucket=1,778,000,430, total_bytes=6,689, window_sec=30\t\nsession\tSESSION-c260bd1d3b6a172d\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,993,231.814, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=51.224.123.234, start_time=1,777,993,231.814, tcp_flags=, time_bucket=1,777,993,230, total_bytes=164, window_sec=30\t\nsession\tSESSION-a4e2d049e521c4ea\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,004,004.98, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=13.250.21.18, start_time=1,778,004,004.98, tcp_flags=, time_bucket=1,778,004,000, total_bytes=164, window_sec=30\t\nsession\tSESSION-93e42c11b9b89aaf\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,777,993,201.654, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=53,466, start_time=1,777,993,201.653, tcp_flags=, time_bucket=1,777,993,200, total_bytes=282, window_sec=30\t\nsession\tSESSION-3936b227c1331c5d\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,993,203.91, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=108.136.231.22, start_time=1,777,993,203.91, tcp_flags=, time_bucket=1,777,993,200, total_bytes=164, window_sec=30\t\nsession\tSESSION-3da8c2fb5a75575f\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,996,814.382, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=108.136.231.22, start_time=1,777,996,814.382, tcp_flags=, time_bucket=1,777,996,800, total_bytes=164, window_sec=30\t\nsession\tSESSION-ad1c4ddd91bc1148\tdst_ip=172.234.197.23, dst_port=80, duration_sec=0.03, end_time=1,777,993,202.077, expected_protocol=http, packet_count=10, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=3.220.15.173, src_port=34,012, start_time=1,777,993,202.044, tcp_flags=A,S,F,P, time_bucket=1,777,993,200, total_bytes=1,353, window_sec=30\t\nsession\tSESSION-1e693ff8754b6a4b\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,777,996,801.469, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=57,362, start_time=1,777,996,801.467, tcp_flags=, time_bucket=1,777,996,800, total_bytes=282, window_sec=30\t\nsession\tSESSION-c9df47030e6edeae\tdst_ip=172.234.197.23, dst_port=443, duration_sec=0.02, end_time=1,778,011,232.982, expected_protocol=https, packet_count=3, proto=TCP, protocol_anomaly_score=0.35, protocol_violations=missing_tls, protocols=TCP, src_ip=40.77.167.4, src_port=47,819, start_time=1,778,011,232.96, tcp_flags=A,F, time_bucket=1,778,011,230, total_bytes=162, window_sec=30\t\nsession\tSESSION-22dca0f7e254df40\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,996,803.516, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=108.136.246.109, start_time=1,777,996,803.516, tcp_flags=, time_bucket=1,777,996,800, total_bytes=164, window_sec=30\t\nsession\tSESSION-b6b6a46eb2435b2c\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,777,993,201.656, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=59,844, start_time=1,777,993,201.655, tcp_flags=, time_bucket=1,777,993,200, total_bytes=313, window_sec=30\t\nsession\tSESSION-402c59976f95ccac\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,007,631.279, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=54,219, start_time=1,778,007,631.279, tcp_flags=, time_bucket=1,778,007,630, total_bytes=238, window_sec=30\t\nsession\tSESSION-22e21c154242e139\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,993,204.044, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=108.136.195.128, start_time=1,777,993,204.044, tcp_flags=, time_bucket=1,777,993,200, total_bytes=164, window_sec=30\t\nsession\tSESSION-f439a23db4014944\tdst_ip=172.234.197.23, dst_port=443, duration_sec=0.91, end_time=1,778,000,453.897, expected_protocol=https, packet_count=25, proto=TCP, protocol_anomaly_score=0.35, protocol_violations=missing_tls, protocols=TCP, src_ip=14.17.85.204, src_port=17,920, start_time=1,778,000,452.982, tcp_flags=A,S,P, time_bucket=1,778,000,430, total_bytes=6,622, window_sec=30\t\nsession\tSESSION-ac2fa7388db2f6bf\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,007,601.842, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=47,184, start_time=1,778,007,601.84, tcp_flags=, time_bucket=1,778,007,600, total_bytes=282, window_sec=30\t\nsession\tSESSION-8f7048e06d096abe\tdst_ip=92.118.39.236, dst_port=46,006, duration_sec=0.13, end_time=1,778,011,257.416, expected_protocol=unregistered:46006, packet_count=2, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=172.234.197.23, src_port=22, start_time=1,778,011,257.288, tcp_flags=R,A,P, time_bucket=1,778,011,230, total_bytes=172, window_sec=30\t\nsession\tSESSION-ba31b8d0bcea573c\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,777,996,801.471, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=47,441, start_time=1,777,996,801.47, tcp_flags=, time_bucket=1,777,996,800, total_bytes=313, window_sec=30\t\nsession\tSESSION-6161ce1063e366a2\tdst_ip=185.125.188.57, dst_port=443, duration_sec=5.89, end_time=1,778,007,637.165, expected_protocol=https, packet_count=50, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=172.234.197.23, src_port=56,486, start_time=1,778,007,631.28, tcp_flags=A,S,R,F,P, time_bucket=1,778,007,630, total_bytes=36,871, window_sec=30\t\nsession\tSESSION-b43027ed299d5e94\tdst_ip=172.234.197.23, dst_port=22, duration_sec=0.92, end_time=1,778,007,635.972, expected_protocol=ssh, packet_count=25, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=45.148.10.121, src_port=47,328, start_time=1,778,007,635.049, tcp_flags=A,S,F,P, time_bucket=1,778,007,630, total_bytes=5,981, window_sec=30\t\nsession\tSESSION-6f591a82d04e2f23\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,993,214.433, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=108.137.154.183, start_time=1,777,993,214.433, tcp_flags=, time_bucket=1,777,993,200, total_bytes=164, window_sec=30\t\nsession\tSESSION-cc46316b9ac69b28\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,996,814.641, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=108.136.195.128, start_time=1,777,996,814.641, tcp_flags=, time_bucket=1,777,996,800, total_bytes=164, window_sec=30\t\nsession\tSESSION-548e9314b3086ca9\tdst_ip=172.234.197.23, dst_port=21, duration_sec=0.04, end_time=1,778,007,605.623, expected_protocol=ftp-ctrl, packet_count=10, proto=TCP, protocol_anomaly_score=0.1, protocol_violations=risk_port, protocols=TCP, src_ip=3.143.162.210, src_port=44,962, start_time=1,778,007,605.58, tcp_flags=A,S,F,P, time_bucket=1,778,007,600, total_bytes=697, window_sec=30\t\nsession\tSESSION-5ad6262f0c135833\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,993,203.565, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=16.78.103.11, start_time=1,777,993,203.565, tcp_flags=, time_bucket=1,777,993,200, total_bytes=164, window_sec=30\t\nsession\tSESSION-08dd2a06bab4a852\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,011,201.607, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=55,699, start_time=1,778,011,201.605, tcp_flags=, time_bucket=1,778,011,200, total_bytes=282, window_sec=30\t\nsession\tSESSION-34afdab6201869ee\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,000,418.629, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=51.224.53.243, start_time=1,778,000,418.629, tcp_flags=, time_bucket=1,778,000,400, total_bytes=164, window_sec=30\t\nsession\tSESSION-d1099e585fa36f54\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,000,435.153, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=3.234.246.186, start_time=1,778,000,435.153, tcp_flags=, time_bucket=1,778,000,430, total_bytes=164, window_sec=30\t\nsession\tSESSION-48258acdb44fa51f\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,993,231.98, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=51.224.145.152, start_time=1,777,993,231.98, tcp_flags=, time_bucket=1,777,993,230, total_bytes=164, window_sec=30\t\nsession\tSESSION-90d5b2c6338c7815\tdst_ip=172.234.197.23, dst_port=23, duration_sec=1, end_time=1,777,993,259.128, expected_protocol=telnet, packet_count=2, proto=TCP, protocol_anomaly_score=0.75, protocol_violations=tcp_syn_only,risk_port, protocols=TCP, src_ip=82.86.130.0, src_port=17,598, start_time=1,777,993,258.13, tcp_flags=S, time_bucket=1,777,993,230, total_bytes=148, window_sec=30\t\nsession\tSESSION-d1d3131167e5d8a7\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,004,002.048, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=53,918, start_time=1,778,004,002.047, tcp_flags=, time_bucket=1,778,004,000, total_bytes=313, window_sec=30\t\nsession\tSESSION-8946fc29c6b46f6d\tdst_ip=172.234.197.23, dst_port=443, duration_sec=0, end_time=1,778,000,459.927, expected_protocol=https, packet_count=2, proto=TCP, protocol_anomaly_score=0.35, protocol_violations=missing_tls, protocols=TCP, src_ip=43.172.194.114, src_port=53,474, start_time=1,778,000,459.927, tcp_flags=A,S, time_bucket=1,778,000,430, total_bytes=148, window_sec=30\t\nsession\tSESSION-4561579556c17060\tdst_ip=172.234.197.23, dst_port=443, duration_sec=0.96, end_time=1,778,000,452.291, expected_protocol=https, packet_count=23, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=43.173.132.82, src_port=15,864, start_time=1,778,000,451.333, tcp_flags=A,S,P, time_bucket=1,778,000,430, total_bytes=6,477, window_sec=30\t\nsession\tSESSION-bf0cece70f740446\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,000,404.693, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=44.203.55.60, start_time=1,778,000,404.693, tcp_flags=, time_bucket=1,778,000,400, total_bytes=164, window_sec=30\t\nsession\tSESSION-e07d35bac2ad33a9\tdst_ip=172.234.197.23, dst_port=80, duration_sec=0.4, end_time=1,778,000,451.249, expected_protocol=http, packet_count=10, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=43.173.132.115, src_port=36,068, start_time=1,778,000,450.847, tcp_flags=A,S,F,P, time_bucket=1,778,000,430, total_bytes=1,248, window_sec=30\t\nsession\tSESSION-d8e778a85b00d06e\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,004,025.473, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=13.229.125.1, start_time=1,778,004,025.473, tcp_flags=, time_bucket=1,778,004,000, total_bytes=164, window_sec=30\t\nsession\tSESSION-28d60172800a0b5c\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,014,801.4, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=44,400, start_time=1,778,014,801.398, tcp_flags=, time_bucket=1,778,014,800, total_bytes=282, window_sec=30\t\nsession\tSESSION-1164951de921d536\tdst_ip=172.234.197.23, dst_port=443, duration_sec=0.29, end_time=1,778,011,221.951, expected_protocol=https, packet_count=57, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=40.77.167.4, src_port=47,819, start_time=1,778,011,221.662, tcp_flags=A,S,P, time_bucket=1,778,011,200, total_bytes=38,745, window_sec=30\t\nsession\tSESSION-ec5c8fa8037e3562\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,996,808.445, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=103.155.16.117, start_time=1,777,996,808.445, tcp_flags=, time_bucket=1,777,996,800, total_bytes=84, window_sec=30\t\nsession\tSESSION-51b92cc6a561b81c\tdst_ip=172.234.197.23, dst_port=443, duration_sec=0.17, end_time=1,777,993,202.246, expected_protocol=https, packet_count=23, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=54.227.57.227, src_port=37,869, start_time=1,777,993,202.079, tcp_flags=A,S,R,F,P, time_bucket=1,777,993,200, total_bytes=5,239, window_sec=30\t\nsession\tSESSION-7b3c407fbcf7cdbc\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,993,203.852, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=108.136.220.138, start_time=1,777,993,203.852, tcp_flags=, time_bucket=1,777,993,200, total_bytes=164, window_sec=30\t\nsession\tSESSION-5ceacf6e3fad521a\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,014,812.499, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=48,809, start_time=1,778,014,812.499, tcp_flags=, time_bucket=1,778,014,800, total_bytes=282, window_sec=30\t\nsession\tSESSION-6809ae9f3f9de168\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,004,002.046, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=50,991, start_time=1,778,004,002.045, tcp_flags=, time_bucket=1,778,004,000, total_bytes=282, window_sec=30\t\nsession\tSESSION-afdbc113425d69ae\tdst_ip=172.234.197.23, dst_port=443, duration_sec=1.97, end_time=1,778,014,813.62, expected_protocol=https, packet_count=36, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=91.227.37.60, src_port=58,250, start_time=1,778,014,811.645, tcp_flags=A,S,F,P, time_bucket=1,778,014,800, total_bytes=15,470, window_sec=30\t\nsession\tSESSION-4d8ee5a4e3d2c6cb\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,996,803.214, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=108.137.71.172, start_time=1,777,996,803.214, tcp_flags=, time_bucket=1,777,996,800, total_bytes=164, window_sec=30\t\nsession\tSESSION-9ac8120baa6b4cb5\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,996,814.49, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=16.79.76.70, start_time=1,777,996,814.49, tcp_flags=, time_bucket=1,777,996,800, total_bytes=164, window_sec=30\t\nsession\tSESSION-6f371d3a9290449b\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,007,613.866, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=54,737, start_time=1,778,007,613.865, tcp_flags=, time_bucket=1,778,007,600, total_bytes=282, window_sec=30\t\nsession\tSESSION-bb030de157a28a92\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,000,418.556, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=51.224.129.180, start_time=1,778,000,418.556, tcp_flags=, time_bucket=1,778,000,400, total_bytes=164, window_sec=30\t\nsession\tSESSION-c70914c01a4dbe00\tdst_ip=172.234.197.23, dst_port=22, duration_sec=4.19, end_time=1,778,004,053.087, expected_protocol=ssh, packet_count=25, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=221.156.137.102, src_port=34,634, start_time=1,778,004,048.892, tcp_flags=A,S,F,P, time_bucket=1,778,004,030, total_bytes=4,957, window_sec=30\t\nsession\tSESSION-e437667b37d516f6\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,000,404.911, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=54.226.218.70, start_time=1,778,000,404.911, tcp_flags=, time_bucket=1,778,000,400, total_bytes=164, window_sec=30\t\nsession\tSESSION-c28f30a8568677bd\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,000,421.896, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=54.237.9.199, start_time=1,778,000,421.896, tcp_flags=, time_bucket=1,778,000,400, total_bytes=164, window_sec=30\t\nsession\tSESSION-d96f4e3d10a0a4f0\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,004,008.169, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=103.155.16.117, start_time=1,778,004,008.169, tcp_flags=, time_bucket=1,778,004,000, total_bytes=84, window_sec=30\t\nsession\tSESSION-859dff0703adcd19\tdst_ip=172.234.197.23, dst_port=80, duration_sec=0.47, end_time=1,778,014,842.052, expected_protocol=http, packet_count=12, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=78.153.140.149, src_port=59,552, start_time=1,778,014,841.582, tcp_flags=A,S,F,P, time_bucket=1,778,014,830, total_bytes=1,522, window_sec=30\t\nsession\tSESSION-989e93673dd1c7a6\tdst_ip=172.234.197.23, dst_port=80, duration_sec=1.67, end_time=1,778,000,454.061, expected_protocol=http, packet_count=10, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=14.17.85.204, src_port=47,556, start_time=1,778,000,452.395, tcp_flags=A,S,F,P, time_bucket=1,778,000,430, total_bytes=1,228, window_sec=30\t\nsession\tSESSION-5b835c6ebb995a7d\tdst_ip=172.234.197.23, dst_port=80, duration_sec=0.09, end_time=1,777,996,854.544, expected_protocol=http, packet_count=3, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=5.61.209.107, src_port=53,644, start_time=1,777,996,854.449, tcp_flags=A,S,R, time_bucket=1,777,996,830, total_bytes=166, window_sec=30\t\nsession\tSESSION-56879d86cd26b6ef\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,000,401.243, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=54,551, start_time=1,778,000,401.241, tcp_flags=, time_bucket=1,778,000,400, total_bytes=313, window_sec=30\t\nsession\tSESSION-48538346c6e3fa4e\tdst_ip=92.118.39.236, dst_port=46,006, duration_sec=0.13, end_time=1,778,011,213.896, expected_protocol=unregistered:46006, packet_count=2, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=172.234.197.23, src_port=22, start_time=1,778,011,213.768, tcp_flags=R,A,P, time_bucket=1,778,011,200, total_bytes=172, window_sec=30\t\nsession\tSESSION-9d04f6d7b357bacd\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,011,201.609, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=37,889, start_time=1,778,011,201.607, tcp_flags=, time_bucket=1,778,011,200, total_bytes=313, window_sec=30\t\nsession\tSESSION-83e825ce567e05ed\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,000,418.694, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=51.224.214.156, start_time=1,778,000,418.694, tcp_flags=, time_bucket=1,778,000,400, total_bytes=164, window_sec=30\t\nsession\tSESSION-061c5d7701fcd16d\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,996,824.71, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=108.137.123.21, start_time=1,777,996,824.71, tcp_flags=, time_bucket=1,777,996,800, total_bytes=164, window_sec=30\t\nsession\tSESSION-2defdff48f63b22c\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,000,415.036, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=13.216.252.177, start_time=1,778,000,415.036, tcp_flags=, time_bucket=1,778,000,400, total_bytes=164, window_sec=30\t\nsession\tSESSION-061b514c6b7df469\tdst_ip=172.234.197.23, dst_port=443, duration_sec=0.18, end_time=1,778,014,824.398, expected_protocol=https, packet_count=38, proto=TCP, protocol_anomaly_score=0.35, protocol_violations=missing_tls, protocols=TCP, src_ip=172.236.119.165, src_port=45,936, start_time=1,778,014,824.222, tcp_flags=A,S,F,P, time_bucket=1,778,014,800, total_bytes=32,958, window_sec=30\t\nsession\tSESSION-449dd50fe1669698\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,004,019.14, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=18.138.243.16, start_time=1,778,004,019.14, tcp_flags=, time_bucket=1,778,004,000, total_bytes=164, window_sec=30\t\nsession\tSESSION-53f109edd419cdc2\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,993,214.057, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=16.79.76.70, start_time=1,777,993,214.057, tcp_flags=, time_bucket=1,777,993,200, total_bytes=164, window_sec=30\t\nsession\tSESSION-134b659b9f89c977\tdst_ip=172.232.0.17, dst_port=53, duration_sec=0, end_time=1,778,011,221.887, expected_protocol=dns, packet_count=2, proto=UDP, protocol_anomaly_score=0, protocol_violations=, protocols=UDP, src_ip=172.234.197.23, src_port=60,303, start_time=1,778,011,221.887, tcp_flags=, time_bucket=1,778,011,200, total_bytes=282, window_sec=30\t\nsession\tSESSION-15c7d6c96ae38709\tdst_ip=172.234.197.23, dst_port=443, duration_sec=0.45, end_time=1,778,000,460.583, expected_protocol=https, packet_count=10, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=43.172.194.114, src_port=53,474, start_time=1,778,000,460.128, tcp_flags=A,P, time_bucket=1,778,000,460, total_bytes=5,320, window_sec=30\t\nsession\tSESSION-a74e44c20494fb3b\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,777,993,231.805, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=51.224.16.78, start_time=1,777,993,231.805, tcp_flags=, time_bucket=1,777,993,230, total_bytes=164, window_sec=30\t\nsession\tSESSION-1f42c1a2508937e6\tdst_ip=172.234.197.23, duration_sec=0, end_time=1,778,011,208.352, expected_protocol=unregistered:0, packet_count=2, proto=ICMP, protocol_anomaly_score=0, protocol_violations=, protocols=ICMP, src_ip=103.155.16.117, start_time=1,778,011,208.352, tcp_flags=, time_bucket=1,778,011,200, total_bytes=84, window_sec=30\t\nsession\tSESSION-8ead85dcd9724179\tdst_ip=172.234.197.23, dst_port=443, duration_sec=0.99, end_time=1,778,000,449.709, expected_protocol=https, packet_count=22, proto=TCP, protocol_anomaly_score=0, protocol_violations=, protocols=TCP, src_ip=43.173.187.143, src_port=3,855, start_time=1,778,000,448.717, tcp_flags=A,S,P, time_bucket=1,778,000,430, total_bytes=6,416, window_sec=30\t\ntls_sni\ttls_sni:172-234-197-23.ip.linodeusercontent.com\tsni=172-234-197-23.ip.linodeusercontent.com\t\ntls_sni\ttls_sni:api.snapcraft.io\tsni=api.snapcraft.io\n\nEdges\nKind\tID\tNodes\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-6809ae9f3f9de168:host:172.232.0.17\tSESSION-6809ae9f3f9de168 \u2192 host:172.232.0.17\nflow_observed5-aryOBS\te:fo:flow:1914bb7cc20f\tflow:1914bb7cc20f \u2192 host:14.17.85.204 \u2192 host:172.234.197.23 \u2192 port:tcp:80 \u2192 svc:http\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-53f109edd419cdc2:flow:c4b1d3f380b6\tSESSION-53f109edd419cdc2 \u2192 flow:c4b1d3f380b6\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-bb030de157a28a92:host:172.234.197.23\tSESSION-bb030de157a28a92 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-901a03ef18d43905:host:172.234.197.23\tSESSION-901a03ef18d43905 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-83e825ce567e05ed:host:172.234.197.23\tSESSION-83e825ce567e05ed \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-d96f4e3d10a0a4f0:host:172.234.197.23\tSESSION-d96f4e3d10a0a4f0 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-4be2484ef7d205f9:host:172.234.197.23\tSESSION-4be2484ef7d205f9 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-8946fc29c6b46f6d:SESSION-8946fc29c6b46f6d\tSESSION-8946fc29c6b46f6d \u2192 pe:tls:SESSION-8946fc29c6b46f6d\nASN_IN_ORGOBS 80%\te:ao:asn:8075:org:Microsoft Corporation\tasn:8075 \u2192 org:Microsoft Corporation\nFLOW_DST_PORTOBS\te:fp:flow:9177236cf88d:port:tcp:80\tflow:9177236cf88d \u2192 port:tcp:80\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-ad1c4ddd91bc1148:flow:4501038c119d\tSESSION-ad1c4ddd91bc1148 \u2192 flow:4501038c119d\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 90%\te:bsg:SESSION-1f42c1a2508937e6:BSG-BEACON-a8a8c3c8a37f\tSESSION-1f42c1a2508937e6 \u2192 BSG-BEACON-a8a8c3c8a37f\nFLOW_TLS_SNIOBS\te:fs:flow:a17816cafef4:tls_sni:172-234-197-23.ip.linodeusercontent.com\tflow:a17816cafef4 \u2192 tls_sni:172-234-197-23.ip.linodeusercontent.com\nFLOW_FROM_HOSTOBS\te:from:SESSION-6809ae9f3f9de168:host:172.234.197.23\tSESSION-6809ae9f3f9de168 \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-1164951de921d536:PCAP:capture_20260505200001:d502e7eabbdd\tSESSION-1164951de921d536 \u2192 PCAP:capture_20260505200001:d502e7eabbdd\nFLOW_DST_PORTOBS\te:fp:flow:0f6e4fea1ebd:port:udp:53\tflow:0f6e4fea1ebd \u2192 port:udp:53\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:103.155.16.117:geo_1.29390_103.84610\thost:103.155.16.117 \u2192 geo_1.29390_103.84610\nFLOW_DST_PORTOBS\te:fp:flow:1ef937ba29a6:port:tcp:443\tflow:1ef937ba29a6 \u2192 port:tcp:443\nFLOW_TO_HOSTOBS\te:to:SESSION-afdbc113425d69ae:host:172.234.197.23\tSESSION-afdbc113425d69ae \u2192 host:172.234.197.23\nflow_observed5-aryOBS\te:fo:flow:347478b466ec\tflow:347478b466ec \u2192 host:14.17.85.204 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nFLOW_TO_HOSTOBS\te:to:SESSION-061b514c6b7df469:host:172.234.197.23\tSESSION-061b514c6b7df469 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-afdbc113425d69ae:SESSION-afdbc113425d69ae\tSESSION-afdbc113425d69ae \u2192 pe:tls:SESSION-afdbc113425d69ae\nFLOW_TO_HOSTOBS\te:to:SESSION-5d116249fba5ef1a:host:172.234.197.23\tSESSION-5d116249fba5ef1a \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-c9df47030e6edeae:host:40.77.167.4\tSESSION-c9df47030e6edeae \u2192 host:40.77.167.4\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-ac2fa7388db2f6bf:host:172.232.0.17\tSESSION-ac2fa7388db2f6bf \u2192 host:172.232.0.17\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-34afdab6201869ee:host:51.224.53.243:host:172.234.197.23\tSESSION-34afdab6201869ee \u2192 host:51.224.53.243 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-6f371d3a9290449b:host:172.234.197.23\tSESSION-6f371d3a9290449b \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-bf0cece70f740446:host:44.203.55.60\tSESSION-bf0cece70f740446 \u2192 host:44.203.55.60\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-432ab8a16199cf6c:host:92.118.39.196:host:172.234.197.23\tSESSION-432ab8a16199cf6c \u2192 host:92.118.39.196 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-9ac8120baa6b4cb5:host:172.234.197.23\tSESSION-9ac8120baa6b4cb5 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-5b835c6ebb995a7d:host:172.234.197.23\tSESSION-5b835c6ebb995a7d \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-ba31b8d0bcea573c:host:172.232.0.17\tSESSION-ba31b8d0bcea573c \u2192 host:172.232.0.17\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-ba31b8d0bcea573c:PCAP:capture_20260505160001:6505a8988bcf\tSESSION-ba31b8d0bcea573c \u2192 PCAP:capture_20260505160001:6505a8988bcf\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-48258acdb44fa51f:flow:e0e919fe14b3\tSESSION-48258acdb44fa51f \u2192 flow:e0e919fe14b3\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-d1099e585fa36f54:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-d1099e585fa36f54 \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 75%\te:bsg:SESSION-d1d3131167e5d8a7:BSG-BEACON-f6c2b3d0e42d\tSESSION-d1d3131167e5d8a7 \u2192 BSG-BEACON-f6c2b3d0e42d\nFLOW_TO_HOSTOBS\te:to:SESSION-5b835c6ebb995a7d:host:172.234.197.23\tSESSION-5b835c6ebb995a7d \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-b0bace154ed8e7e1:host:103.220.165.12\tSESSION-b0bace154ed8e7e1 \u2192 host:103.220.165.12\nflow_observed5-aryOBS\te:fo:flow:1507855d0ab9\tflow:1507855d0ab9 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-402c59976f95ccac:SESSION-402c59976f95ccac\tSESSION-402c59976f95ccac \u2192 pe:dns:SESSION-402c59976f95ccac\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-1d2c12c54a6b8ee9:flow:449957d41315\tSESSION-1d2c12c54a6b8ee9 \u2192 flow:449957d41315\nflow_observed3-aryOBS\te:fo:flow:5c0f3e09f588\tflow:5c0f3e09f588 \u2192 host:108.136.231.22 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-2defdff48f63b22c:host:13.216.252.177\tSESSION-2defdff48f63b22c \u2192 host:13.216.252.177\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-6161ce1063e366a2:PCAP:capture_20260505190001:a68bf0af3b16\tSESSION-6161ce1063e366a2 \u2192 PCAP:capture_20260505190001:a68bf0af3b16\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-1164951de921d536:host:40.77.167.4\tSESSION-1164951de921d536 \u2192 host:40.77.167.4\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-ac2fa7388db2f6bf:SESSION-ac2fa7388db2f6bf\tSESSION-ac2fa7388db2f6bf \u2192 pe:dns:SESSION-ac2fa7388db2f6bf\nFLOW_QUERIED_DNSOBS\te:fd:flow:7ac69d00b687:dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\tflow:7ac69d00b687 \u2192 dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-5d116249fba5ef1a:host:14.152.83.244:host:172.234.197.23\tSESSION-5d116249fba5ef1a \u2192 host:14.152.83.244 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-cef22d690e31564a:host:172.234.197.23\tSESSION-cef22d690e31564a \u2192 host:172.234.197.23\nflow_observed3-aryOBS\te:fo:flow:5f0f49123cd7\tflow:5f0f49123cd7 \u2192 host:108.137.154.183 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-548e9314b3086ca9:host:172.234.197.23\tSESSION-548e9314b3086ca9 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-6f591a82d04e2f23:host:108.137.154.183:host:172.234.197.23\tSESSION-6f591a82d04e2f23 \u2192 host:108.137.154.183 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-c9df47030e6edeae:host:40.77.167.4\tSESSION-c9df47030e6edeae \u2192 host:40.77.167.4\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-061b514c6b7df469:PCAP:capture_20260505210001:fe9b7b09d76a\tSESSION-061b514c6b7df469 \u2192 PCAP:capture_20260505210001:fe9b7b09d76a\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-901a03ef18d43905:PCAP:capture_20260505210001:fe9b7b09d76a\tSESSION-901a03ef18d43905 \u2192 PCAP:capture_20260505210001:fe9b7b09d76a\nFLOW_FROM_HOSTOBS\te:from:SESSION-1f42c1a2508937e6:host:103.155.16.117\tSESSION-1f42c1a2508937e6 \u2192 host:103.155.16.117\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-fb52ff5a15515e30:host:199.45.155.73:host:172.234.197.23\tSESSION-fb52ff5a15515e30 \u2192 host:199.45.155.73 \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-56879d86cd26b6ef:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-56879d86cd26b6ef \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-ac2fa7388db2f6bf:flow:7823764fbd64\tSESSION-ac2fa7388db2f6bf \u2192 flow:7823764fbd64\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-1164951de921d536:host:40.77.167.4:host:172.234.197.23\tSESSION-1164951de921d536 \u2192 host:40.77.167.4 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-1d2c12c54a6b8ee9:host:172.234.197.23:host:172.232.0.17\tSESSION-1d2c12c54a6b8ee9 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nflow_observed3-aryOBS\te:fo:flow:670bf8372bed\tflow:670bf8372bed \u2192 host:108.136.195.128 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-48258acdb44fa51f:host:51.224.145.152\tSESSION-48258acdb44fa51f \u2192 host:51.224.145.152\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-1f42c1a2508937e6:host:172.234.197.23\tSESSION-1f42c1a2508937e6 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-1164951de921d536:host:172.234.197.23\tSESSION-1164951de921d536 \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:199.45.155.73:geo_37.75100_-97.82200\thost:199.45.155.73 \u2192 geo_37.75100_-97.82200\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-449dd50fe1669698:host:18.138.243.16:host:172.234.197.23\tSESSION-449dd50fe1669698 \u2192 host:18.138.243.16 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-402c59976f95ccac:host:172.234.197.23\tSESSION-402c59976f95ccac \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-5ad6262f0c135833:host:172.234.197.23\tSESSION-5ad6262f0c135833 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-0280199fcf3ea167:host:172.234.197.23\tSESSION-0280199fcf3ea167 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-b6b6a46eb2435b2c:host:172.232.0.17\tSESSION-b6b6a46eb2435b2c \u2192 host:172.232.0.17\nFLOW_TO_HOSTOBS\te:to:SESSION-a74e44c20494fb3b:host:172.234.197.23\tSESSION-a74e44c20494fb3b \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-432ab8a16199cf6c:host:92.118.39.196\tSESSION-432ab8a16199cf6c \u2192 host:92.118.39.196\nFLOW_TO_HOSTOBS\te:to:SESSION-1164951de921d536:host:172.234.197.23\tSESSION-1164951de921d536 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-29997713c592805d:host:172.234.197.23\tSESSION-29997713c592805d \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-6809ae9f3f9de168:host:172.234.197.23:host:172.232.0.17\tSESSION-6809ae9f3f9de168 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-989e93673dd1c7a6:host:172.234.197.23\tSESSION-989e93673dd1c7a6 \u2192 host:172.234.197.23\nFLOW_DST_PORTOBS\te:fp:flow:81d4435dcab9:port:tcp:443\tflow:81d4435dcab9 \u2192 port:tcp:443\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-93e42c11b9b89aaf:host:172.232.0.17\tSESSION-93e42c11b9b89aaf \u2192 host:172.232.0.17\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-548e9314b3086ca9:SESSION-548e9314b3086ca9\tSESSION-548e9314b3086ca9 \u2192 pe:syn:SESSION-548e9314b3086ca9\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:51.224.123.234:geo_52.51960_13.40690\thost:51.224.123.234 \u2192 geo_52.51960_13.40690\nHOST_IN_ASNOBS 85%\te:ha:host:199.45.155.73:asn:398722\thost:199.45.155.73 \u2192 asn:398722\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-bf0cece70f740446:host:44.203.55.60\tSESSION-bf0cece70f740446 \u2192 host:44.203.55.60\nFLOW_FROM_HOSTOBS\te:from:SESSION-d1099e585fa36f54:host:3.234.246.186\tSESSION-d1099e585fa36f54 \u2192 host:3.234.246.186\nflow_observed3-aryOBS\te:fo:flow:d2aa3d958328\tflow:d2aa3d958328 \u2192 host:18.138.243.16 \u2192 host:172.234.197.23\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 90%\te:bsg:SESSION-28d60172800a0b5c:BSG-BEACON-f6c2b3d0e42d\tSESSION-28d60172800a0b5c \u2192 BSG-BEACON-f6c2b3d0e42d\nFLOW_FROM_HOSTOBS\te:from:SESSION-ba31b8d0bcea573c:host:172.234.197.23\tSESSION-ba31b8d0bcea573c \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-29997713c592805d:host:172.232.0.17\tSESSION-29997713c592805d \u2192 host:172.232.0.17\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 90%\te:bsg:SESSION-d96f4e3d10a0a4f0:BSG-BEACON-a8a8c3c8a37f\tSESSION-d96f4e3d10a0a4f0 \u2192 BSG-BEACON-a8a8c3c8a37f\nHOST_IN_ASNOBS 85%\te:ha:host:185.125.188.57:asn:41231\thost:185.125.188.57 \u2192 asn:41231\nFLOW_TO_HOSTOBS\te:to:SESSION-93e42c11b9b89aaf:host:172.232.0.17\tSESSION-93e42c11b9b89aaf \u2192 host:172.232.0.17\nflow_observed5-aryOBS\te:fo:flow:83a5cffc6703\tflow:83a5cffc6703 \u2192 host:172.234.197.23 \u2192 host:185.125.188.57 \u2192 port:tcp:443 \u2192 svc:https\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-08dd2a06bab4a852:host:172.234.197.23\tSESSION-08dd2a06bab4a852 \u2192 host:172.234.197.23\nHOST_IN_ASNOBS 85%\te:ha:host:40.77.167.4:asn:8075\thost:40.77.167.4 \u2192 asn:8075\nFLOW_TO_HOSTOBS\te:to:SESSION-a4e2d049e521c4ea:host:172.234.197.23\tSESSION-a4e2d049e521c4ea \u2192 host:172.234.197.23\nflow_observed5-aryOBS\te:fo:flow:d55b3af6cdbc\tflow:d55b3af6cdbc \u2192 host:102.69.167.14 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 65%\te:bsg:SESSION-1164951de921d536:BSG-DATA_EXFIL-c9d90f130d90\tSESSION-1164951de921d536 \u2192 BSG-DATA_EXFIL-c9d90f130d90\nHOST_IN_ASNOBS 85%\te:ha:host:3.143.162.210:asn:16509\thost:3.143.162.210 \u2192 asn:16509\nflow_observed5-aryOBS\te:fo:flow:b4f49eacb030\tflow:b4f49eacb030 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nFLOW_TO_HOSTOBS\te:to:SESSION-1e693ff8754b6a4b:host:172.232.0.17\tSESSION-1e693ff8754b6a4b \u2192 host:172.232.0.17\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-cef22d690e31564a:SESSION-cef22d690e31564a\tSESSION-cef22d690e31564a \u2192 pe:dns:SESSION-cef22d690e31564a\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-4be2484ef7d205f9:host:199.45.155.73:host:172.234.197.23\tSESSION-4be2484ef7d205f9 \u2192 host:199.45.155.73 \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:51.224.53.243:geo_52.51960_13.40690\thost:51.224.53.243 \u2192 geo_52.51960_13.40690\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-548e9314b3086ca9:host:172.234.197.23\tSESSION-548e9314b3086ca9 \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:3.143.162.210:geo_39.96250_-83.00610\thost:3.143.162.210 \u2192 geo_39.96250_-83.00610\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:108.137.154.183:geo_-6.21140_106.84460\thost:108.137.154.183 \u2192 geo_-6.21140_106.84460\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 75%\te:bsg:SESSION-1e693ff8754b6a4b:BSG-BEACON-f6c2b3d0e42d\tSESSION-1e693ff8754b6a4b \u2192 BSG-BEACON-f6c2b3d0e42d\nflow_observed5-aryOBS\te:fo:flow:a0f73d4e1f2a\tflow:a0f73d4e1f2a \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nflow_observed5-aryOBS\te:fo:flow:ef50ec85480c\tflow:ef50ec85480c \u2192 host:5.61.209.107 \u2192 host:172.234.197.23 \u2192 port:tcp:80 \u2192 svc:http\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-53f109edd419cdc2:host:16.79.76.70\tSESSION-53f109edd419cdc2 \u2192 host:16.79.76.70\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-c9df47030e6edeae:host:172.234.197.23\tSESSION-c9df47030e6edeae \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-52ca69764e41f269:SESSION-52ca69764e41f269\tSESSION-52ca69764e41f269 \u2192 pe:tls:SESSION-52ca69764e41f269\nHOST_IN_ASNOBS 85%\te:ha:host:51.224.53.243:asn:16509\thost:51.224.53.243 \u2192 asn:16509\nFLOW_DST_PORTOBS\te:fp:flow:347478b466ec:port:tcp:443\tflow:347478b466ec \u2192 port:tcp:443\nflow_observed4-aryOBS\te:fo:flow:f7a277f9998b\tflow:f7a277f9998b \u2192 host:3.143.162.210 \u2192 host:172.234.197.23 \u2192 port:tcp:21\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-6161ce1063e366a2:host:185.125.188.57\tSESSION-6161ce1063e366a2 \u2192 host:185.125.188.57\nHOST_IN_ASNOBS 85%\te:ha:host:43.173.187.143:asn:132203\thost:43.173.187.143 \u2192 asn:132203\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-56879d86cd26b6ef:host:172.232.0.17\tSESSION-56879d86cd26b6ef \u2192 host:172.232.0.17\nflow_observed3-aryOBS\te:fo:flow:e0e919fe14b3\tflow:e0e919fe14b3 \u2192 host:51.224.145.152 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-d1099e585fa36f54:flow:6bb1f29d53ff\tSESSION-d1099e585fa36f54 \u2192 flow:6bb1f29d53ff\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-4d8ee5a4e3d2c6cb:PCAP:capture_20260505160001:6505a8988bcf\tSESSION-4d8ee5a4e3d2c6cb \u2192 PCAP:capture_20260505160001:6505a8988bcf\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-5d116249fba5ef1a:SESSION-5d116249fba5ef1a\tSESSION-5d116249fba5ef1a \u2192 pe:tls:SESSION-5d116249fba5ef1a\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-112a52c8741e1f24:host:172.234.197.23\tSESSION-112a52c8741e1f24 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-402c59976f95ccac:flow:a4dceb0b502c\tSESSION-402c59976f95ccac \u2192 flow:a4dceb0b502c\nFLOW_DST_PORTOBS\te:fp:flow:c55c01d60832:port:udp:53\tflow:c55c01d60832 \u2192 port:udp:53\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-22e21c154242e139:host:172.234.197.23\tSESSION-22e21c154242e139 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-8946fc29c6b46f6d:host:172.234.197.23\tSESSION-8946fc29c6b46f6d \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-1e693ff8754b6a4b:host:172.234.197.23\tSESSION-1e693ff8754b6a4b \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-bf0cece70f740446:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-bf0cece70f740446 \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:54.237.9.199:geo_39.04690_-77.49030\thost:54.237.9.199 \u2192 geo_39.04690_-77.49030\nflow_observed5-aryOBS\te:fo:flow:c8c5a6720f95\tflow:c8c5a6720f95 \u2192 host:78.153.140.149 \u2192 host:172.234.197.23 \u2192 port:tcp:80 \u2192 svc:http\nFLOW_FROM_HOSTOBS\te:from:SESSION-cef22d690e31564a:host:172.234.197.23\tSESSION-cef22d690e31564a \u2192 host:172.234.197.23\nFLOW_DST_PORTOBS\te:fp:flow:c8c5a6720f95:port:tcp:80\tflow:c8c5a6720f95 \u2192 port:tcp:80\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:172.234.197.23:geo_41.88350_-87.63050\thost:172.234.197.23 \u2192 geo_41.88350_-87.63050\nflow_observed5-aryOBS\te:fo:flow:40d85800a99d\tflow:40d85800a99d \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-8f7048e06d096abe:host:172.234.197.23:host:92.118.39.236\tSESSION-8f7048e06d096abe \u2192 host:172.234.197.23 \u2192 host:92.118.39.236\nFLOW_FROM_HOSTOBS\te:from:SESSION-0280199fcf3ea167:host:32.195.50.176\tSESSION-0280199fcf3ea167 \u2192 host:32.195.50.176\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-f439a23db4014944:host:14.17.85.204\tSESSION-f439a23db4014944 \u2192 host:14.17.85.204\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-b43027ed299d5e94:SESSION-b43027ed299d5e94\tSESSION-b43027ed299d5e94 \u2192 pe:syn:SESSION-b43027ed299d5e94\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-4d8ee5a4e3d2c6cb:flow:dd59f847be17\tSESSION-4d8ee5a4e3d2c6cb \u2192 flow:dd59f847be17\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 65%\te:bsg:SESSION-6f371d3a9290449b:BSG-BEACON-f6c2b3d0e42d\tSESSION-6f371d3a9290449b \u2192 BSG-BEACON-f6c2b3d0e42d\nflow_observed3-aryOBS\te:fo:flow:a697fcd98900\tflow:a697fcd98900 \u2192 host:54.226.218.70 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-b0bace154ed8e7e1:flow:f56c5e5e9322\tSESSION-b0bace154ed8e7e1 \u2192 flow:f56c5e5e9322\nFLOW_DST_PORTOBS\te:fp:flow:daf8c45d27ff:port:tcp:22\tflow:daf8c45d27ff \u2192 port:tcp:22\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-061b514c6b7df469:host:172.236.119.165\tSESSION-061b514c6b7df469 \u2192 host:172.236.119.165\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-1d2c12c54a6b8ee9:host:172.234.197.23\tSESSION-1d2c12c54a6b8ee9 \u2192 host:172.234.197.23\nASN_IN_ORGOBS 80%\te:ao:asn:328436:org:Flashnet-Technologies-Limited\tasn:328436 \u2192 org:Flashnet-Technologies-Limited\nFLOW_TO_HOSTOBS\te:to:SESSION-6809ae9f3f9de168:host:172.232.0.17\tSESSION-6809ae9f3f9de168 \u2192 host:172.232.0.17\nflow_observed4-aryOBS\te:fo:flow:d660fa8ff9b1\tflow:d660fa8ff9b1 \u2192 host:172.234.197.23 \u2192 host:92.118.39.236 \u2192 port:tcp:46006\nFLOW_FROM_HOSTOBS\te:from:SESSION-6f371d3a9290449b:host:172.234.197.23\tSESSION-6f371d3a9290449b \u2192 host:172.234.197.23\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 90%\te:bsg:SESSION-ec5c8fa8037e3562:BSG-BEACON-a8a8c3c8a37f\tSESSION-ec5c8fa8037e3562 \u2192 BSG-BEACON-a8a8c3c8a37f\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-15c7d6c96ae38709:host:172.234.197.23\tSESSION-15c7d6c96ae38709 \u2192 host:172.234.197.23\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 75%\te:bsg:SESSION-d4533a7174934c47:BSG-BEACON-f6c2b3d0e42d\tSESSION-d4533a7174934c47 \u2192 BSG-BEACON-f6c2b3d0e42d\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-989e93673dd1c7a6:SESSION-989e93673dd1c7a6\tSESSION-989e93673dd1c7a6 \u2192 pe:syn:SESSION-989e93673dd1c7a6\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:40.77.167.27:geo_36.66940_-78.38770\thost:40.77.167.27 \u2192 geo_36.66940_-78.38770\nFLOW_FROM_HOSTOBS\te:from:SESSION-b0bace154ed8e7e1:host:103.220.165.12\tSESSION-b0bace154ed8e7e1 \u2192 host:103.220.165.12\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-4be2484ef7d205f9:host:199.45.155.73\tSESSION-4be2484ef7d205f9 \u2192 host:199.45.155.73\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-ba31b8d0bcea573c:flow:484583ddd05a\tSESSION-ba31b8d0bcea573c \u2192 flow:484583ddd05a\nflow_observed5-aryOBS\te:fo:flow:441658b54583\tflow:441658b54583 \u2192 host:43.173.132.82 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nFLOW_TLS_SNIOBS\te:fs:flow:83a5cffc6703:tls_sni:api.snapcraft.io\tflow:83a5cffc6703 \u2192 tls_sni:api.snapcraft.io\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-548e9314b3086ca9:PCAP:capture_20260505190001:a68bf0af3b16\tSESSION-548e9314b3086ca9 \u2192 PCAP:capture_20260505190001:a68bf0af3b16\nflow_observed3-aryOBS\te:fo:flow:ea0949f415db\tflow:ea0949f415db \u2192 host:108.136.246.109 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-52ca69764e41f269:SESSION-52ca69764e41f269\tSESSION-52ca69764e41f269 \u2192 pe:syn:SESSION-52ca69764e41f269\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-83e825ce567e05ed:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-83e825ce567e05ed \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nHOST_IN_ASNOBS 85%\te:ha:host:13.250.21.18:asn:16509\thost:13.250.21.18 \u2192 asn:16509\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-134b659b9f89c977:host:172.232.0.17\tSESSION-134b659b9f89c977 \u2192 host:172.232.0.17\nASN_IN_ORGOBS 80%\te:ao:asn:398722:org:Censys, Inc.\tasn:398722 \u2192 org:Censys, Inc.\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-53f109edd419cdc2:PCAP:capture_20260505150001:90690819257f\tSESSION-53f109edd419cdc2 \u2192 PCAP:capture_20260505150001:90690819257f\nFLOW_FROM_HOSTOBS\te:from:SESSION-f439a23db4014944:host:14.17.85.204\tSESSION-f439a23db4014944 \u2192 host:14.17.85.204\nFLOW_FROM_HOSTOBS\te:from:SESSION-4d8ee5a4e3d2c6cb:host:108.137.71.172\tSESSION-4d8ee5a4e3d2c6cb \u2192 host:108.137.71.172\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:rst:SESSION-51b92cc6a561b81c:SESSION-51b92cc6a561b81c\tSESSION-51b92cc6a561b81c \u2192 pe:rst:SESSION-51b92cc6a561b81c\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-98342a2659e39b9d:SESSION-98342a2659e39b9d\tSESSION-98342a2659e39b9d \u2192 pe:syn:SESSION-98342a2659e39b9d\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-48258acdb44fa51f:PCAP:capture_20260505150001:90690819257f\tSESSION-48258acdb44fa51f \u2192 PCAP:capture_20260505150001:90690819257f\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-29997713c592805d:host:172.234.197.23:host:172.232.0.17\tSESSION-29997713c592805d \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nflow_observed3-aryOBS\te:fo:flow:7027314e9f62\tflow:7027314e9f62 \u2192 host:54.237.9.199 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-22dca0f7e254df40:host:172.234.197.23\tSESSION-22dca0f7e254df40 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-5b835c6ebb995a7d:SESSION-5b835c6ebb995a7d\tSESSION-5b835c6ebb995a7d \u2192 pe:syn:SESSION-5b835c6ebb995a7d\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-fb52ff5a15515e30:SESSION-fb52ff5a15515e30\tSESSION-fb52ff5a15515e30 \u2192 pe:syn:SESSION-fb52ff5a15515e30\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:102.69.167.14:geo_-6.82270_39.29100\thost:102.69.167.14 \u2192 geo_-6.82270_39.29100\nFLOW_FROM_HOSTOBS\te:from:SESSION-56879d86cd26b6ef:host:172.234.197.23\tSESSION-56879d86cd26b6ef \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-e437667b37d516f6:host:54.226.218.70\tSESSION-e437667b37d516f6 \u2192 host:54.226.218.70\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-a4e2d049e521c4ea:PCAP:capture_20260505180001:aab19cafbf97\tSESSION-a4e2d049e521c4ea \u2192 PCAP:capture_20260505180001:aab19cafbf97\nFLOW_TO_HOSTOBS\te:to:SESSION-d96f4e3d10a0a4f0:host:172.234.197.23\tSESSION-d96f4e3d10a0a4f0 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-22e21c154242e139:host:108.136.195.128\tSESSION-22e21c154242e139 \u2192 host:108.136.195.128\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:rst:SESSION-48538346c6e3fa4e:SESSION-48538346c6e3fa4e\tSESSION-48538346c6e3fa4e \u2192 pe:rst:SESSION-48538346c6e3fa4e\nFLOW_TO_HOSTOBS\te:to:SESSION-d1d3131167e5d8a7:host:172.232.0.17\tSESSION-d1d3131167e5d8a7 \u2192 host:172.232.0.17\nFLOW_DST_PORTOBS\te:fp:flow:1914bb7cc20f:port:tcp:80\tflow:1914bb7cc20f \u2192 port:tcp:80\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-c28f30a8568677bd:host:54.237.9.199:host:172.234.197.23\tSESSION-c28f30a8568677bd \u2192 host:54.237.9.199 \u2192 host:172.234.197.23\nflow_observed5-aryOBS\te:fo:flow:d71d4a109401\tflow:d71d4a109401 \u2192 host:43.173.187.143 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-3936b227c1331c5d:host:172.234.197.23\tSESSION-3936b227c1331c5d \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-28d60172800a0b5c:host:172.232.0.17\tSESSION-28d60172800a0b5c \u2192 host:172.232.0.17\nASN_IN_ORGOBS 80%\te:ao:asn:200780:org:Eurofiber France SAS\tasn:200780 \u2192 org:Eurofiber France SAS\nflow_observed5-aryOBS\te:fo:flow:f2155c27e443\tflow:f2155c27e443 \u2192 host:78.153.140.149 \u2192 host:172.234.197.23 \u2192 port:tcp:80 \u2192 svc:http\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-ad1c4ddd91bc1148:host:3.220.15.173:host:172.234.197.23\tSESSION-ad1c4ddd91bc1148 \u2192 host:3.220.15.173 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-bb030de157a28a92:host:51.224.129.180\tSESSION-bb030de157a28a92 \u2192 host:51.224.129.180\nFLOW_TO_HOSTOBS\te:to:SESSION-ad1c4ddd91bc1148:host:172.234.197.23\tSESSION-ad1c4ddd91bc1148 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-a4e2d049e521c4ea:flow:27bcaa9bf1c4\tSESSION-a4e2d049e521c4ea \u2192 flow:27bcaa9bf1c4\nFLOW_TO_HOSTOBS\te:to:SESSION-6161ce1063e366a2:host:185.125.188.57\tSESSION-6161ce1063e366a2 \u2192 host:185.125.188.57\nflow_observed3-aryOBS\te:fo:flow:143398f9d784\tflow:143398f9d784 \u2192 host:13.216.252.177 \u2192 host:172.234.197.23\nFLOW_TLS_SNIOBS\te:fs:flow:d71d4a109401:tls_sni:172-234-197-23.ip.linodeusercontent.com\tflow:d71d4a109401 \u2192 tls_sni:172-234-197-23.ip.linodeusercontent.com\nFLOW_HTTP_HOSTOBS\te:fh:flow:9177236cf88d:http_host:172.234.197.23:80\tflow:9177236cf88d \u2192 http_host:172.234.197.23:80\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-061c5d7701fcd16d:host:108.137.123.21:host:172.234.197.23\tSESSION-061c5d7701fcd16d \u2192 host:108.137.123.21 \u2192 host:172.234.197.23\nHOST_IN_ASNOBS 85%\te:ha:host:108.136.220.138:asn:16509\thost:108.136.220.138 \u2192 asn:16509\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-90d5b2c6338c7815:host:172.234.197.23\tSESSION-90d5b2c6338c7815 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-d4533a7174934c47:flow:b4f49eacb030\tSESSION-d4533a7174934c47 \u2192 flow:b4f49eacb030\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-51b92cc6a561b81c:SESSION-51b92cc6a561b81c\tSESSION-51b92cc6a561b81c \u2192 pe:tls:SESSION-51b92cc6a561b81c\nFLOW_FROM_HOSTOBS\te:from:SESSION-901a03ef18d43905:host:78.153.140.149\tSESSION-901a03ef18d43905 \u2192 host:78.153.140.149\nflow_observed5-aryOBS\te:fo:flow:bcd27756aa40\tflow:bcd27756aa40 \u2192 host:40.77.167.4 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nflow_observed5-aryOBS\te:fo:flow:67de7fac861b\tflow:67de7fac861b \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nFLOW_FROM_HOSTOBS\te:from:SESSION-28d60172800a0b5c:host:172.234.197.23\tSESSION-28d60172800a0b5c \u2192 host:172.234.197.23\nFLOW_DST_PORTOBS\te:fp:flow:696377210741:port:tcp:80\tflow:696377210741 \u2192 port:tcp:80\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-b6b6a46eb2435b2c:host:172.234.197.23\tSESSION-b6b6a46eb2435b2c \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-d4533a7174934c47:host:172.234.197.23\tSESSION-d4533a7174934c47 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-52ca69764e41f269:flow:81d4435dcab9\tSESSION-52ca69764e41f269 \u2192 flow:81d4435dcab9\nFLOW_TO_HOSTOBS\te:to:SESSION-48258acdb44fa51f:host:172.234.197.23\tSESSION-48258acdb44fa51f \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-ad1c4ddd91bc1148:SESSION-ad1c4ddd91bc1148\tSESSION-ad1c4ddd91bc1148 \u2192 pe:syn:SESSION-ad1c4ddd91bc1148\nFLOW_DST_PORTOBS\te:fp:flow:c853014c7a67:port:udp:53\tflow:c853014c7a67 \u2192 port:udp:53\nFLOW_FROM_HOSTOBS\te:from:SESSION-9d04f6d7b357bacd:host:172.234.197.23\tSESSION-9d04f6d7b357bacd \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-d1099e585fa36f54:host:3.234.246.186:host:172.234.197.23\tSESSION-d1099e585fa36f54 \u2192 host:3.234.246.186 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-8ead85dcd9724179:SESSION-8ead85dcd9724179\tSESSION-8ead85dcd9724179 \u2192 pe:tls:SESSION-8ead85dcd9724179\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-8f7048e06d096abe:host:172.234.197.23\tSESSION-8f7048e06d096abe \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-8f7048e06d096abe:flow:481bc4d957af\tSESSION-8f7048e06d096abe \u2192 flow:481bc4d957af\nFLOW_TO_HOSTOBS\te:to:SESSION-cc46316b9ac69b28:host:172.234.197.23\tSESSION-cc46316b9ac69b28 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-53f109edd419cdc2:host:172.234.197.23\tSESSION-53f109edd419cdc2 \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-f439a23db4014944:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-f439a23db4014944 \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-d96f4e3d10a0a4f0:PCAP:capture_20260505180001:aab19cafbf97\tSESSION-d96f4e3d10a0a4f0 \u2192 PCAP:capture_20260505180001:aab19cafbf97\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-c70914c01a4dbe00:host:172.234.197.23\tSESSION-c70914c01a4dbe00 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-1f42c1a2508937e6:host:103.155.16.117:host:172.234.197.23\tSESSION-1f42c1a2508937e6 \u2192 host:103.155.16.117 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-112a52c8741e1f24:host:5.61.209.107\tSESSION-112a52c8741e1f24 \u2192 host:5.61.209.107\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-90b1be10321455be:host:172.234.197.23\tSESSION-90b1be10321455be \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-a4e2d049e521c4ea:host:13.250.21.18\tSESSION-a4e2d049e521c4ea \u2192 host:13.250.21.18\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-3da8c2fb5a75575f:host:172.234.197.23\tSESSION-3da8c2fb5a75575f \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-112a52c8741e1f24:host:172.234.197.23\tSESSION-112a52c8741e1f24 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-48258acdb44fa51f:host:172.234.197.23\tSESSION-48258acdb44fa51f \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-d1d3131167e5d8a7:host:172.234.197.23:host:172.232.0.17\tSESSION-d1d3131167e5d8a7 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-c9df47030e6edeae:host:40.77.167.4:host:172.234.197.23\tSESSION-c9df47030e6edeae \u2192 host:40.77.167.4 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-449dd50fe1669698:host:18.138.243.16\tSESSION-449dd50fe1669698 \u2192 host:18.138.243.16\nFLOW_FROM_HOSTOBS\te:from:SESSION-fb52ff5a15515e30:host:199.45.155.73\tSESSION-fb52ff5a15515e30 \u2192 host:199.45.155.73\nFLOW_DST_PORTOBS\te:fp:flow:484583ddd05a:port:udp:53\tflow:484583ddd05a \u2192 port:udp:53\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-061c5d7701fcd16d:host:108.137.123.21\tSESSION-061c5d7701fcd16d \u2192 host:108.137.123.21\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-ba31b8d0bcea573c:host:172.232.0.17\tSESSION-ba31b8d0bcea573c \u2192 host:172.232.0.17\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:51.224.16.78:geo_52.51960_13.40690\thost:51.224.16.78 \u2192 geo_52.51960_13.40690\nHOST_IN_ASNOBS 85%\te:ha:host:92.118.39.236:asn:47890\thost:92.118.39.236 \u2192 asn:47890\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-90d5b2c6338c7815:SESSION-90d5b2c6338c7815\tSESSION-90d5b2c6338c7815 \u2192 pe:syn:SESSION-90d5b2c6338c7815\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-8946fc29c6b46f6d:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-8946fc29c6b46f6d \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-5d116249fba5ef1a:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-5d116249fba5ef1a \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-8ead85dcd9724179:host:172.234.197.23\tSESSION-8ead85dcd9724179 \u2192 host:172.234.197.23\nflow_observed4-aryOBS\te:fo:flow:a34856d5d292\tflow:a34856d5d292 \u2192 host:199.45.155.73 \u2192 host:172.234.197.23 \u2192 port:tcp:2002\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-a74e44c20494fb3b:PCAP:capture_20260505150001:90690819257f\tSESSION-a74e44c20494fb3b \u2192 PCAP:capture_20260505150001:90690819257f\nASN_IN_ORGOBS 80%\te:ao:asn:31863:org:Centrilogic, Inc.\tasn:31863 \u2192 org:Centrilogic, Inc.\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-ac2fa7388db2f6bf:PCAP:capture_20260505190001:a68bf0af3b16\tSESSION-ac2fa7388db2f6bf \u2192 PCAP:capture_20260505190001:a68bf0af3b16\nASN_IN_ORGOBS 80%\te:ao:asn:4766:org:Korea Telecom\tasn:4766 \u2192 org:Korea Telecom\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-859dff0703adcd19:flow:c8c5a6720f95\tSESSION-859dff0703adcd19 \u2192 flow:c8c5a6720f95\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-9d04f6d7b357bacd:SESSION-9d04f6d7b357bacd\tSESSION-9d04f6d7b357bacd \u2192 pe:dns:SESSION-9d04f6d7b357bacd\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-cc46316b9ac69b28:PCAP:capture_20260505160001:6505a8988bcf\tSESSION-cc46316b9ac69b28 \u2192 PCAP:capture_20260505160001:6505a8988bcf\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-134b659b9f89c977:flow:40d85800a99d\tSESSION-134b659b9f89c977 \u2192 flow:40d85800a99d\nFLOW_QUERIED_DNSOBS\te:fd:flow:7823764fbd64:dns:172-234-197-23.ip.linodeusercontent.com\tflow:7823764fbd64 \u2192 dns:172-234-197-23.ip.linodeusercontent.com\nHOST_IN_ASNOBS 85%\te:ha:host:108.137.154.183:asn:16509\thost:108.137.154.183 \u2192 asn:16509\nASN_IN_ORGOBS 80%\te:ao:asn:202306:org:Hostglobal.plus Ltd\tasn:202306 \u2192 org:Hostglobal.plus Ltd\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-d4533a7174934c47:host:172.234.197.23:host:172.232.0.17\tSESSION-d4533a7174934c47 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-3da8c2fb5a75575f:flow:5c0f3e09f588\tSESSION-3da8c2fb5a75575f \u2192 flow:5c0f3e09f588\nFLOW_DST_PORTOBS\te:fp:flow:4501038c119d:port:tcp:80\tflow:4501038c119d \u2192 port:tcp:80\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:108.136.195.128:geo_-6.21140_106.84460\thost:108.136.195.128 \u2192 geo_-6.21140_106.84460\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-989e93673dd1c7a6:host:14.17.85.204\tSESSION-989e93673dd1c7a6 \u2192 host:14.17.85.204\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:13.216.252.177:geo_39.04690_-77.49030\thost:13.216.252.177 \u2192 geo_39.04690_-77.49030\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-15c7d6c96ae38709:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-15c7d6c96ae38709 \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-90d5b2c6338c7815:flow:e67e9c201483\tSESSION-90d5b2c6338c7815 \u2192 flow:e67e9c201483\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-f439a23db4014944:SESSION-f439a23db4014944\tSESSION-f439a23db4014944 \u2192 pe:tls:SESSION-f439a23db4014944\nFLOW_HTTP_HOSTOBS\te:fh:flow:c8c5a6720f95:http_host:172.234.197.23\tflow:c8c5a6720f95 \u2192 http_host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-b43027ed299d5e94:host:172.234.197.23\tSESSION-b43027ed299d5e94 \u2192 host:172.234.197.23\nFLOW_DST_PORTOBS\te:fp:flow:88adc449314f:port:udp:53\tflow:88adc449314f \u2192 port:udp:53\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:13.229.125.1:geo_1.29390_103.84610\thost:13.229.125.1 \u2192 geo_1.29390_103.84610\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:221.156.137.102:geo_34.57110_126.60100\thost:221.156.137.102 \u2192 geo_34.57110_126.60100\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-83e825ce567e05ed:host:172.234.197.23\tSESSION-83e825ce567e05ed \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:108.136.246.109:geo_-6.21140_106.84460\thost:108.136.246.109 \u2192 geo_-6.21140_106.84460\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-e07d35bac2ad33a9:host:43.173.132.115\tSESSION-e07d35bac2ad33a9 \u2192 host:43.173.132.115\nHOST_IN_ASNOBS 85%\te:ha:host:51.224.16.78:asn:16509\thost:51.224.16.78 \u2192 asn:16509\nflow_observed5-aryOBS\te:fo:flow:70c428feea0e\tflow:70c428feea0e \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nFLOW_DST_PORTOBS\te:fp:flow:bcd27756aa40:port:tcp:443\tflow:bcd27756aa40 \u2192 port:tcp:443\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-cc46316b9ac69b28:flow:670bf8372bed\tSESSION-cc46316b9ac69b28 \u2192 flow:670bf8372bed\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 65%\te:bsg:SESSION-061b514c6b7df469:BSG-DATA_EXFIL-cab357e760c3\tSESSION-061b514c6b7df469 \u2192 BSG-DATA_EXFIL-cab357e760c3\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-ad1c4ddd91bc1148:host:3.220.15.173\tSESSION-ad1c4ddd91bc1148 \u2192 host:3.220.15.173\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-90b1be10321455be:PCAP:capture_20260505160001:6505a8988bcf\tSESSION-90b1be10321455be \u2192 PCAP:capture_20260505160001:6505a8988bcf\nFLOW_TO_HOSTOBS\te:to:SESSION-1f42c1a2508937e6:host:172.234.197.23\tSESSION-1f42c1a2508937e6 \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:3.234.246.186:geo_39.04690_-77.49030\thost:3.234.246.186 \u2192 geo_39.04690_-77.49030\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:18.138.243.16:geo_1.29390_103.84610\thost:18.138.243.16 \u2192 geo_1.29390_103.84610\nFLOW_DST_PORTOBS\te:fp:flow:fb0a88ae25c4:port:tcp:443\tflow:fb0a88ae25c4 \u2192 port:tcp:443\nFLOW_TO_HOSTOBS\te:to:SESSION-901a03ef18d43905:host:172.234.197.23\tSESSION-901a03ef18d43905 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-e437667b37d516f6:host:54.226.218.70\tSESSION-e437667b37d516f6 \u2192 host:54.226.218.70\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-2defdff48f63b22c:host:172.234.197.23\tSESSION-2defdff48f63b22c \u2192 host:172.234.197.23\nflow_observed5-aryOBS\te:fo:flow:cf8bff248bec\tflow:cf8bff248bec \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nFLOW_QUERIED_DNSOBS\te:fd:flow:84372b4c9378:dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\tflow:84372b4c9378 \u2192 dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-3da8c2fb5a75575f:PCAP:capture_20260505160001:6505a8988bcf\tSESSION-3da8c2fb5a75575f \u2192 PCAP:capture_20260505160001:6505a8988bcf\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-93e42c11b9b89aaf:host:172.234.197.23\tSESSION-93e42c11b9b89aaf \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-a4e2d049e521c4ea:host:13.250.21.18:host:172.234.197.23\tSESSION-a4e2d049e521c4ea \u2192 host:13.250.21.18 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-98342a2659e39b9d:host:102.69.167.14:host:172.234.197.23\tSESSION-98342a2659e39b9d \u2192 host:102.69.167.14 \u2192 host:172.234.197.23\nASN_IN_ORGOBS 80%\te:ao:asn:16509:org:Amazon.com, Inc.\tasn:16509 \u2192 org:Amazon.com, Inc.\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-859dff0703adcd19:SESSION-859dff0703adcd19\tSESSION-859dff0703adcd19 \u2192 pe:syn:SESSION-859dff0703adcd19\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-90d5b2c6338c7815:PCAP:capture_20260505150001:90690819257f\tSESSION-90d5b2c6338c7815 \u2192 PCAP:capture_20260505150001:90690819257f\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-83e825ce567e05ed:host:51.224.214.156:host:172.234.197.23\tSESSION-83e825ce567e05ed \u2192 host:51.224.214.156 \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:43.172.194.114:geo_1.36670_103.80000\thost:43.172.194.114 \u2192 geo_1.36670_103.80000\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-bb030de157a28a92:flow:a54692a6979d\tSESSION-bb030de157a28a92 \u2192 flow:a54692a6979d\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-989e93673dd1c7a6:flow:1914bb7cc20f\tSESSION-989e93673dd1c7a6 \u2192 flow:1914bb7cc20f\nASN_IN_ORGOBS 80%\te:ao:asn:134763:org:CHINANET Guangdong province network\tasn:134763 \u2192 org:CHINANET Guangdong province network\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-c70914c01a4dbe00:flow:18ab509ee72d\tSESSION-c70914c01a4dbe00 \u2192 flow:18ab509ee72d\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-22dca0f7e254df40:PCAP:capture_20260505160001:6505a8988bcf\tSESSION-22dca0f7e254df40 \u2192 PCAP:capture_20260505160001:6505a8988bcf\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-5ceacf6e3fad521a:host:172.234.197.23:host:172.232.0.17\tSESSION-5ceacf6e3fad521a \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-1e693ff8754b6a4b:flow:8089546c59de\tSESSION-1e693ff8754b6a4b \u2192 flow:8089546c59de\nFLOW_TO_HOSTOBS\te:to:SESSION-4be2484ef7d205f9:host:172.234.197.23\tSESSION-4be2484ef7d205f9 \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:16.78.103.11:geo_-6.21140_106.84460\thost:16.78.103.11 \u2192 geo_-6.21140_106.84460\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-6f591a82d04e2f23:host:108.137.154.183\tSESSION-6f591a82d04e2f23 \u2192 host:108.137.154.183\nFLOW_QUERIED_DNSOBS\te:fd:flow:a0f73d4e1f2a:dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\tflow:a0f73d4e1f2a \u2192 dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-5d116249fba5ef1a:SESSION-5d116249fba5ef1a\tSESSION-5d116249fba5ef1a \u2192 pe:syn:SESSION-5d116249fba5ef1a\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-28d60172800a0b5c:host:172.234.197.23:host:172.232.0.17\tSESSION-28d60172800a0b5c \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-b0bace154ed8e7e1:PCAP:capture_20260505150001:90690819257f\tSESSION-b0bace154ed8e7e1 \u2192 PCAP:capture_20260505150001:90690819257f\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-15c7d6c96ae38709:flow:a17816cafef4\tSESSION-15c7d6c96ae38709 \u2192 flow:a17816cafef4\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:91.227.37.60:geo_48.85580_2.34940\thost:91.227.37.60 \u2192 geo_48.85580_2.34940\nflow_observed4-aryOBS\te:fo:flow:481bc4d957af\tflow:481bc4d957af \u2192 host:172.234.197.23 \u2192 host:92.118.39.236 \u2192 port:tcp:46006\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-83e825ce567e05ed:host:51.224.214.156\tSESSION-83e825ce567e05ed \u2192 host:51.224.214.156\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-d1d3131167e5d8a7:flow:0f6e4fea1ebd\tSESSION-d1d3131167e5d8a7 \u2192 flow:0f6e4fea1ebd\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-afdbc113425d69ae:host:172.234.197.23\tSESSION-afdbc113425d69ae \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-d96f4e3d10a0a4f0:host:103.155.16.117\tSESSION-d96f4e3d10a0a4f0 \u2192 host:103.155.16.117\nHOST_IN_ASNOBS 85%\te:ha:host:103.155.16.117:asn:138915\thost:103.155.16.117 \u2192 asn:138915\nASN_IN_ORGOBS 80%\te:ao:asn:132203:org:Tencent Building, Kejizhongyi Avenue\tasn:132203 \u2192 org:Tencent Building, Kejizhongyi Avenue\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-548e9314b3086ca9:host:3.143.162.210\tSESSION-548e9314b3086ca9 \u2192 host:3.143.162.210\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-28d60172800a0b5c:PCAP:capture_20260505210001:fe9b7b09d76a\tSESSION-28d60172800a0b5c \u2192 PCAP:capture_20260505210001:fe9b7b09d76a\nFLOW_DST_PORTOBS\te:fp:flow:b4f49eacb030:port:udp:53\tflow:b4f49eacb030 \u2192 port:udp:53\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-cef22d690e31564a:host:172.232.0.17\tSESSION-cef22d690e31564a \u2192 host:172.232.0.17\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-4be2484ef7d205f9:PCAP:capture_20260505210001:fe9b7b09d76a\tSESSION-4be2484ef7d205f9 \u2192 PCAP:capture_20260505210001:fe9b7b09d76a\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-1e693ff8754b6a4b:host:172.234.197.23\tSESSION-1e693ff8754b6a4b \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-0280199fcf3ea167:host:32.195.50.176:host:172.234.197.23\tSESSION-0280199fcf3ea167 \u2192 host:32.195.50.176 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-fb52ff5a15515e30:host:172.234.197.23\tSESSION-fb52ff5a15515e30 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-4be2484ef7d205f9:SESSION-4be2484ef7d205f9\tSESSION-4be2484ef7d205f9 \u2192 pe:syn:SESSION-4be2484ef7d205f9\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-2defdff48f63b22c:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-2defdff48f63b22c \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nFLOW_TO_HOSTOBS\te:to:SESSION-f439a23db4014944:host:172.234.197.23\tSESSION-f439a23db4014944 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-cef22d690e31564a:host:172.232.0.17\tSESSION-cef22d690e31564a \u2192 host:172.232.0.17\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-0280199fcf3ea167:flow:4ddbe4acc504\tSESSION-0280199fcf3ea167 \u2192 flow:4ddbe4acc504\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-5b835c6ebb995a7d:flow:ef50ec85480c\tSESSION-5b835c6ebb995a7d \u2192 flow:ef50ec85480c\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-34afdab6201869ee:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-34afdab6201869ee \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nHOST_IN_ASNOBS 85%\te:ha:host:54.237.9.199:asn:14618\thost:54.237.9.199 \u2192 asn:14618\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-a74e44c20494fb3b:flow:729bae75cfd4\tSESSION-a74e44c20494fb3b \u2192 flow:729bae75cfd4\nflow_observed3-aryOBS\te:fo:flow:6bb1f29d53ff\tflow:6bb1f29d53ff \u2192 host:3.234.246.186 \u2192 host:172.234.197.23\nPORT_IMPLIED_SERVICEIMP 70%\te:ps:port:tcp:443:svc:https\tport:tcp:443 \u2192 svc:https\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-56879d86cd26b6ef:SESSION-56879d86cd26b6ef\tSESSION-56879d86cd26b6ef \u2192 pe:dns:SESSION-56879d86cd26b6ef\nflow_observed3-aryOBS\te:fo:flow:18c0bf5b5d25\tflow:18c0bf5b5d25 \u2192 host:44.203.55.60 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-c70914c01a4dbe00:host:221.156.137.102:host:172.234.197.23\tSESSION-c70914c01a4dbe00 \u2192 host:221.156.137.102 \u2192 host:172.234.197.23\nflow_observed5-aryOBS\te:fo:flow:81d4435dcab9\tflow:81d4435dcab9 \u2192 host:40.77.167.27 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nFLOW_DST_PORTOBS\te:fp:flow:481bc4d957af:port:tcp:46006\tflow:481bc4d957af \u2192 port:tcp:46006\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-51b92cc6a561b81c:host:54.227.57.227\tSESSION-51b92cc6a561b81c \u2192 host:54.227.57.227\nFLOW_DST_PORTOBS\te:fp:flow:e67e9c201483:port:tcp:23\tflow:e67e9c201483 \u2192 port:tcp:23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-29997713c592805d:SESSION-29997713c592805d\tSESSION-29997713c592805d \u2192 pe:dns:SESSION-29997713c592805d\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-56879d86cd26b6ef:flow:7ac69d00b687\tSESSION-56879d86cd26b6ef \u2192 flow:7ac69d00b687\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:43.173.187.143:geo_1.29390_103.84610\thost:43.173.187.143 \u2192 geo_1.29390_103.84610\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-a4e2d049e521c4ea:host:13.250.21.18\tSESSION-a4e2d049e521c4ea \u2192 host:13.250.21.18\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-a74e44c20494fb3b:host:172.234.197.23\tSESSION-a74e44c20494fb3b \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-93e42c11b9b89aaf:SESSION-93e42c11b9b89aaf\tSESSION-93e42c11b9b89aaf \u2192 pe:dns:SESSION-93e42c11b9b89aaf\nFLOW_TO_HOSTOBS\te:to:SESSION-5ad6262f0c135833:host:172.234.197.23\tSESSION-5ad6262f0c135833 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-5ad6262f0c135833:host:16.78.103.11\tSESSION-5ad6262f0c135833 \u2192 host:16.78.103.11\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 50%\te:bsg:SESSION-afdbc113425d69ae:BSG-DATA_EXFIL-248342848c58\tSESSION-afdbc113425d69ae \u2192 BSG-DATA_EXFIL-248342848c58\nFLOW_FROM_HOSTOBS\te:from:SESSION-061c5d7701fcd16d:host:108.137.123.21\tSESSION-061c5d7701fcd16d \u2192 host:108.137.123.21\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-9d04f6d7b357bacd:host:172.234.197.23:host:172.232.0.17\tSESSION-9d04f6d7b357bacd \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-e07d35bac2ad33a9:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-e07d35bac2ad33a9 \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-7b3c407fbcf7cdbc:PCAP:capture_20260505150001:90690819257f\tSESSION-7b3c407fbcf7cdbc \u2192 PCAP:capture_20260505150001:90690819257f\nFLOW_FROM_HOSTOBS\te:from:SESSION-52ca69764e41f269:host:40.77.167.27\tSESSION-52ca69764e41f269 \u2192 host:40.77.167.27\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-8ead85dcd9724179:host:43.173.187.143\tSESSION-8ead85dcd9724179 \u2192 host:43.173.187.143\nHOST_IN_ASNOBS 85%\te:ha:host:16.79.76.70:asn:16509\thost:16.79.76.70 \u2192 asn:16509\nFLOW_TO_HOSTOBS\te:to:SESSION-b0bace154ed8e7e1:host:172.234.197.23\tSESSION-b0bace154ed8e7e1 \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:54.227.57.227:geo_39.04690_-77.49030\thost:54.227.57.227 \u2192 geo_39.04690_-77.49030\nFLOW_TO_HOSTOBS\te:to:SESSION-51b92cc6a561b81c:host:172.234.197.23\tSESSION-51b92cc6a561b81c \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-28d60172800a0b5c:host:172.232.0.17\tSESSION-28d60172800a0b5c \u2192 host:172.232.0.17\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-2defdff48f63b22c:flow:143398f9d784\tSESSION-2defdff48f63b22c \u2192 flow:143398f9d784\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-5d116249fba5ef1a:host:14.152.83.244\tSESSION-5d116249fba5ef1a \u2192 host:14.152.83.244\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-548e9314b3086ca9:flow:f7a277f9998b\tSESSION-548e9314b3086ca9 \u2192 flow:f7a277f9998b\nHOST_IN_ASNOBS 85%\te:ha:host:40.77.167.27:asn:8075\thost:40.77.167.27 \u2192 asn:8075\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-c9df47030e6edeae:flow:c7fc0633636d\tSESSION-c9df47030e6edeae \u2192 flow:c7fc0633636d\nASN_IN_ORGOBS 80%\te:ao:asn:138421:org:China Unicom\tasn:138421 \u2192 org:China Unicom\nFLOW_FROM_HOSTOBS\te:from:SESSION-51b92cc6a561b81c:host:54.227.57.227\tSESSION-51b92cc6a561b81c \u2192 host:54.227.57.227\nflow_observed5-aryOBS\te:fo:flow:0f6e4fea1ebd\tflow:0f6e4fea1ebd \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nFLOW_TO_HOSTOBS\te:to:SESSION-989e93673dd1c7a6:host:172.234.197.23\tSESSION-989e93673dd1c7a6 \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:16.79.76.70:geo_-6.21140_106.84460\thost:16.79.76.70 \u2192 geo_-6.21140_106.84460\nflow_observed5-aryOBS\te:fo:flow:daf8c45d27ff\tflow:daf8c45d27ff \u2192 host:45.148.10.121 \u2192 host:172.234.197.23 \u2192 port:tcp:22 \u2192 svc:ssh\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 90%\te:bsg:SESSION-29997713c592805d:BSG-BEACON-f6c2b3d0e42d\tSESSION-29997713c592805d \u2192 BSG-BEACON-f6c2b3d0e42d\nFLOW_TO_HOSTOBS\te:to:SESSION-34afdab6201869ee:host:172.234.197.23\tSESSION-34afdab6201869ee \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-bf0cece70f740446:host:172.234.197.23\tSESSION-bf0cece70f740446 \u2192 host:172.234.197.23\nflow_observed5-aryOBS\te:fo:flow:484583ddd05a\tflow:484583ddd05a \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-3936b227c1331c5d:flow:3b056e5c7d7c\tSESSION-3936b227c1331c5d \u2192 flow:3b056e5c7d7c\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-4561579556c17060:SESSION-4561579556c17060\tSESSION-4561579556c17060 \u2192 pe:syn:SESSION-4561579556c17060\nFLOW_FROM_HOSTOBS\te:from:SESSION-83e825ce567e05ed:host:51.224.214.156\tSESSION-83e825ce567e05ed \u2192 host:51.224.214.156\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-bf0cece70f740446:flow:18c0bf5b5d25\tSESSION-bf0cece70f740446 \u2192 flow:18c0bf5b5d25\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-1164951de921d536:SESSION-1164951de921d536\tSESSION-1164951de921d536 \u2192 pe:syn:SESSION-1164951de921d536\nFLOW_FROM_HOSTOBS\te:from:SESSION-061b514c6b7df469:host:172.236.119.165\tSESSION-061b514c6b7df469 \u2192 host:172.236.119.165\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-402c59976f95ccac:host:172.234.197.23:host:172.232.0.17\tSESSION-402c59976f95ccac \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-cc46316b9ac69b28:host:172.234.197.23\tSESSION-cc46316b9ac69b28 \u2192 host:172.234.197.23\nFLOW_TLS_SNIOBS\te:fs:flow:81d4435dcab9:tls_sni:172-234-197-23.ip.linodeusercontent.com\tflow:81d4435dcab9 \u2192 tls_sni:172-234-197-23.ip.linodeusercontent.com\nflow_observed3-aryOBS\te:fo:flow:c4b1d3f380b6\tflow:c4b1d3f380b6 \u2192 host:16.79.76.70 \u2192 host:172.234.197.23\nHOST_IN_ASNOBS 85%\te:ha:host:51.224.214.156:asn:16509\thost:51.224.214.156 \u2192 asn:16509\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-8946fc29c6b46f6d:host:43.172.194.114:host:172.234.197.23\tSESSION-8946fc29c6b46f6d \u2192 host:43.172.194.114 \u2192 host:172.234.197.23\nASN_IN_ORGOBS 80%\te:ao:asn:47890:org:Unmanaged Ltd\tasn:47890 \u2192 org:Unmanaged Ltd\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-52ca69764e41f269:host:40.77.167.27:host:172.234.197.23\tSESSION-52ca69764e41f269 \u2192 host:40.77.167.27 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-08dd2a06bab4a852:host:172.232.0.17\tSESSION-08dd2a06bab4a852 \u2192 host:172.232.0.17\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-34afdab6201869ee:host:51.224.53.243\tSESSION-34afdab6201869ee \u2192 host:51.224.53.243\nHOST_IN_ASNOBS 85%\te:ha:host:92.118.39.196:asn:47890\thost:92.118.39.196 \u2192 asn:47890\nFLOW_FROM_HOSTOBS\te:from:SESSION-3936b227c1331c5d:host:108.136.231.22\tSESSION-3936b227c1331c5d \u2192 host:108.136.231.22\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-9ac8120baa6b4cb5:host:16.79.76.70:host:172.234.197.23\tSESSION-9ac8120baa6b4cb5 \u2192 host:16.79.76.70 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-4561579556c17060:flow:441658b54583\tSESSION-4561579556c17060 \u2192 flow:441658b54583\nflow_observed3-aryOBS\te:fo:flow:729bae75cfd4\tflow:729bae75cfd4 \u2192 host:51.224.16.78 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-3936b227c1331c5d:host:108.136.231.22:host:172.234.197.23\tSESSION-3936b227c1331c5d \u2192 host:108.136.231.22 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-449dd50fe1669698:host:172.234.197.23\tSESSION-449dd50fe1669698 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-9ac8120baa6b4cb5:host:16.79.76.70\tSESSION-9ac8120baa6b4cb5 \u2192 host:16.79.76.70\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-6f371d3a9290449b:SESSION-6f371d3a9290449b\tSESSION-6f371d3a9290449b \u2192 pe:dns:SESSION-6f371d3a9290449b\nFLOW_QUERIED_DNSOBS\te:fd:flow:70c428feea0e:dns:172-234-197-23.ip.linodeusercontent.com\tflow:70c428feea0e \u2192 dns:172-234-197-23.ip.linodeusercontent.com\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-061b514c6b7df469:flow:3a5125854ad8\tSESSION-061b514c6b7df469 \u2192 flow:3a5125854ad8\nHOST_IN_ASNOBS 85%\te:ha:host:51.224.145.152:asn:16509\thost:51.224.145.152 \u2192 asn:16509\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:92.118.39.236:geo_45.99680_24.99700\thost:92.118.39.236 \u2192 geo_45.99680_24.99700\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-d1099e585fa36f54:host:3.234.246.186\tSESSION-d1099e585fa36f54 \u2192 host:3.234.246.186\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-22e21c154242e139:flow:a4bc84010efc\tSESSION-22e21c154242e139 \u2192 flow:a4bc84010efc\nHOST_IN_ASNOBS 85%\te:ha:host:3.234.246.186:asn:14618\thost:3.234.246.186 \u2192 asn:14618\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:14.152.83.244:geo_34.77320_113.72200\thost:14.152.83.244 \u2192 geo_34.77320_113.72200\nFLOW_DST_PORTOBS\te:fp:flow:441658b54583:port:tcp:443\tflow:441658b54583 \u2192 port:tcp:443\nflow_observed5-aryOBS\te:fo:flow:c853014c7a67\tflow:c853014c7a67 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-6f371d3a9290449b:PCAP:capture_20260505190001:a68bf0af3b16\tSESSION-6f371d3a9290449b \u2192 PCAP:capture_20260505190001:a68bf0af3b16\nFLOW_TO_HOSTOBS\te:to:SESSION-52ca69764e41f269:host:172.234.197.23\tSESSION-52ca69764e41f269 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-e07d35bac2ad33a9:host:172.234.197.23\tSESSION-e07d35bac2ad33a9 \u2192 host:172.234.197.23\nPORT_IMPLIED_SERVICEIMP 70%\te:ps:port:tcp:22:svc:ssh\tport:tcp:22 \u2192 svc:ssh\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-51b92cc6a561b81c:SESSION-51b92cc6a561b81c\tSESSION-51b92cc6a561b81c \u2192 pe:syn:SESSION-51b92cc6a561b81c\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-061c5d7701fcd16d:flow:3b21f9ede7cb\tSESSION-061c5d7701fcd16d \u2192 flow:3b21f9ede7cb\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-ec5c8fa8037e3562:host:172.234.197.23\tSESSION-ec5c8fa8037e3562 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-2defdff48f63b22c:host:172.234.197.23\tSESSION-2defdff48f63b22c \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-9ac8120baa6b4cb5:host:16.79.76.70\tSESSION-9ac8120baa6b4cb5 \u2192 host:16.79.76.70\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-c260bd1d3b6a172d:host:51.224.123.234\tSESSION-c260bd1d3b6a172d \u2192 host:51.224.123.234\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-ba31b8d0bcea573c:host:172.234.197.23:host:172.232.0.17\tSESSION-ba31b8d0bcea573c \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-449dd50fe1669698:host:172.234.197.23\tSESSION-449dd50fe1669698 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-ac2fa7388db2f6bf:host:172.234.197.23:host:172.232.0.17\tSESSION-ac2fa7388db2f6bf \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-08dd2a06bab4a852:flow:67de7fac861b\tSESSION-08dd2a06bab4a852 \u2192 flow:67de7fac861b\nHOST_IN_ASNOBS 85%\te:ha:host:172.98.199.111:asn:31863\thost:172.98.199.111 \u2192 asn:31863\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-b0bace154ed8e7e1:host:103.220.165.12:host:172.234.197.23\tSESSION-b0bace154ed8e7e1 \u2192 host:103.220.165.12 \u2192 host:172.234.197.23\nFLOW_QUERIED_DNSOBS\te:fd:flow:449957d41315:dns:api.snapcraft.io\tflow:449957d41315 \u2192 dns:api.snapcraft.io\nFLOW_FROM_HOSTOBS\te:from:SESSION-3da8c2fb5a75575f:host:108.136.231.22\tSESSION-3da8c2fb5a75575f \u2192 host:108.136.231.22\nflow_observed5-aryOBS\te:fo:flow:696377210741\tflow:696377210741 \u2192 host:43.173.132.115 \u2192 host:172.234.197.23 \u2192 port:tcp:80 \u2192 svc:http\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-3da8c2fb5a75575f:host:108.136.231.22:host:172.234.197.23\tSESSION-3da8c2fb5a75575f \u2192 host:108.136.231.22 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-7b3c407fbcf7cdbc:host:108.136.220.138\tSESSION-7b3c407fbcf7cdbc \u2192 host:108.136.220.138\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-22e21c154242e139:host:108.136.195.128\tSESSION-22e21c154242e139 \u2192 host:108.136.195.128\nFLOW_DST_PORTOBS\te:fp:flow:a4dceb0b502c:port:udp:53\tflow:a4dceb0b502c \u2192 port:udp:53\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-8946fc29c6b46f6d:SESSION-8946fc29c6b46f6d\tSESSION-8946fc29c6b46f6d \u2192 pe:syn:SESSION-8946fc29c6b46f6d\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-93e42c11b9b89aaf:PCAP:capture_20260505150001:90690819257f\tSESSION-93e42c11b9b89aaf \u2192 PCAP:capture_20260505150001:90690819257f\nFLOW_TO_HOSTOBS\te:to:SESSION-4d8ee5a4e3d2c6cb:host:172.234.197.23\tSESSION-4d8ee5a4e3d2c6cb \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-d8e778a85b00d06e:flow:a4f2cd6ce2f7\tSESSION-d8e778a85b00d06e \u2192 flow:a4f2cd6ce2f7\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-9ac8120baa6b4cb5:flow:8914df23a392\tSESSION-9ac8120baa6b4cb5 \u2192 flow:8914df23a392\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-d96f4e3d10a0a4f0:host:103.155.16.117\tSESSION-d96f4e3d10a0a4f0 \u2192 host:103.155.16.117\nFLOW_FROM_HOSTOBS\te:from:SESSION-1d2c12c54a6b8ee9:host:172.234.197.23\tSESSION-1d2c12c54a6b8ee9 \u2192 host:172.234.197.23\nFLOW_QUERIED_DNSOBS\te:fd:flow:88adc449314f:dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\tflow:88adc449314f \u2192 dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\nFLOW_TO_HOSTOBS\te:to:SESSION-fb52ff5a15515e30:host:172.234.197.23\tSESSION-fb52ff5a15515e30 \u2192 host:172.234.197.23\nHOST_IN_ASNOBS 85%\te:ha:host:3.220.15.173:asn:14618\thost:3.220.15.173 \u2192 asn:14618\nFLOW_DST_PORTOBS\te:fp:flow:3a5125854ad8:port:tcp:443\tflow:3a5125854ad8 \u2192 port:tcp:443\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-1d2c12c54a6b8ee9:PCAP:capture_20260505190001:a68bf0af3b16\tSESSION-1d2c12c54a6b8ee9 \u2192 PCAP:capture_20260505190001:a68bf0af3b16\nFLOW_QUERIED_DNSOBS\te:fd:flow:c853014c7a67:dns:172-234-197-23.ip.linodeusercontent.com\tflow:c853014c7a67 \u2192 dns:172-234-197-23.ip.linodeusercontent.com\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-e07d35bac2ad33a9:SESSION-e07d35bac2ad33a9\tSESSION-e07d35bac2ad33a9 \u2192 pe:syn:SESSION-e07d35bac2ad33a9\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-98342a2659e39b9d:PCAP:capture_20260505150001:90690819257f\tSESSION-98342a2659e39b9d \u2192 PCAP:capture_20260505150001:90690819257f\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:32.195.50.176:geo_37.75100_-97.82200\thost:32.195.50.176 \u2192 geo_37.75100_-97.82200\nASN_IN_ORGOBS 80%\te:ao:asn:63949:org:Akamai Connected Cloud\tasn:63949 \u2192 org:Akamai Connected Cloud\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-7b3c407fbcf7cdbc:host:108.136.220.138\tSESSION-7b3c407fbcf7cdbc \u2192 host:108.136.220.138\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-1f42c1a2508937e6:host:103.155.16.117\tSESSION-1f42c1a2508937e6 \u2192 host:103.155.16.117\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-c28f30a8568677bd:host:54.237.9.199\tSESSION-c28f30a8568677bd \u2192 host:54.237.9.199\nFLOW_FROM_HOSTOBS\te:from:SESSION-134b659b9f89c977:host:172.234.197.23\tSESSION-134b659b9f89c977 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-f439a23db4014944:flow:347478b466ec\tSESSION-f439a23db4014944 \u2192 flow:347478b466ec\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-1164951de921d536:SESSION-1164951de921d536\tSESSION-1164951de921d536 \u2192 pe:tls:SESSION-1164951de921d536\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-134b659b9f89c977:host:172.234.197.23\tSESSION-134b659b9f89c977 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-c260bd1d3b6a172d:host:51.224.123.234:host:172.234.197.23\tSESSION-c260bd1d3b6a172d \u2192 host:51.224.123.234 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-c9df47030e6edeae:host:172.234.197.23\tSESSION-c9df47030e6edeae \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-ec5c8fa8037e3562:flow:02ba1d809494\tSESSION-ec5c8fa8037e3562 \u2192 flow:02ba1d809494\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-859dff0703adcd19:host:78.153.140.149\tSESSION-859dff0703adcd19 \u2192 host:78.153.140.149\nflow_observed3-aryOBS\te:fo:flow:8914df23a392\tflow:8914df23a392 \u2192 host:16.79.76.70 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-d1099e585fa36f54:host:172.234.197.23\tSESSION-d1099e585fa36f54 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-98342a2659e39b9d:SESSION-98342a2659e39b9d\tSESSION-98342a2659e39b9d \u2192 pe:tls:SESSION-98342a2659e39b9d\nflow_observed5-aryOBS\te:fo:flow:1ef937ba29a6\tflow:1ef937ba29a6 \u2192 host:43.172.194.114 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nFLOW_FROM_HOSTOBS\te:from:SESSION-6f591a82d04e2f23:host:108.137.154.183\tSESSION-6f591a82d04e2f23 \u2192 host:108.137.154.183\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-859dff0703adcd19:host:172.234.197.23\tSESSION-859dff0703adcd19 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-e437667b37d516f6:host:54.226.218.70:host:172.234.197.23\tSESSION-e437667b37d516f6 \u2192 host:54.226.218.70 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-cef22d690e31564a:flow:a0f73d4e1f2a\tSESSION-cef22d690e31564a \u2192 flow:a0f73d4e1f2a\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:rst:SESSION-5b835c6ebb995a7d:SESSION-5b835c6ebb995a7d\tSESSION-5b835c6ebb995a7d \u2192 pe:rst:SESSION-5b835c6ebb995a7d\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 75%\te:bsg:SESSION-93e42c11b9b89aaf:BSG-BEACON-f6c2b3d0e42d\tSESSION-93e42c11b9b89aaf \u2192 BSG-BEACON-f6c2b3d0e42d\nFLOW_TO_HOSTOBS\te:to:SESSION-bb030de157a28a92:host:172.234.197.23\tSESSION-bb030de157a28a92 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-52ca69764e41f269:host:40.77.167.27\tSESSION-52ca69764e41f269 \u2192 host:40.77.167.27\nFLOW_TO_HOSTOBS\te:to:SESSION-ac2fa7388db2f6bf:host:172.232.0.17\tSESSION-ac2fa7388db2f6bf \u2192 host:172.232.0.17\nFLOW_QUERIED_DNSOBS\te:fd:flow:b4f49eacb030:dns:172-234-197-23.ip.linodeusercontent.com\tflow:b4f49eacb030 \u2192 dns:172-234-197-23.ip.linodeusercontent.com\nFLOW_FROM_HOSTOBS\te:from:SESSION-e07d35bac2ad33a9:host:43.173.132.115\tSESSION-e07d35bac2ad33a9 \u2192 host:43.173.132.115\nFLOW_TO_HOSTOBS\te:to:SESSION-90d5b2c6338c7815:host:172.234.197.23\tSESSION-90d5b2c6338c7815 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-d1d3131167e5d8a7:SESSION-d1d3131167e5d8a7\tSESSION-d1d3131167e5d8a7 \u2192 pe:dns:SESSION-d1d3131167e5d8a7\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-08dd2a06bab4a852:host:172.232.0.17\tSESSION-08dd2a06bab4a852 \u2192 host:172.232.0.17\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-b0bace154ed8e7e1:host:172.234.197.23\tSESSION-b0bace154ed8e7e1 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-bf0cece70f740446:host:44.203.55.60:host:172.234.197.23\tSESSION-bf0cece70f740446 \u2192 host:44.203.55.60 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-34afdab6201869ee:flow:c79e28885a99\tSESSION-34afdab6201869ee \u2192 flow:c79e28885a99\nHOST_IN_ASNOBS 85%\te:ha:host:172.232.0.17:asn:63949\thost:172.232.0.17 \u2192 asn:63949\nHOST_IN_ASNOBS 85%\te:ha:host:82.86.130.0:asn:272809\thost:82.86.130.0 \u2192 asn:272809\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-5ad6262f0c135833:flow:4e35f51811d2\tSESSION-5ad6262f0c135833 \u2192 flow:4e35f51811d2\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:51.224.214.156:geo_52.51960_13.40690\thost:51.224.214.156 \u2192 geo_52.51960_13.40690\nHOST_IN_ASNOBS 85%\te:ha:host:51.224.129.180:asn:16509\thost:51.224.129.180 \u2192 asn:16509\nASN_IN_ORGOBS 80%\te:ao:asn:138915:org:Kaopu Cloud HK Limited\tasn:138915 \u2192 org:Kaopu Cloud HK Limited\nFLOW_FROM_HOSTOBS\te:from:SESSION-5ceacf6e3fad521a:host:172.234.197.23\tSESSION-5ceacf6e3fad521a \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-51b92cc6a561b81c:host:172.234.197.23\tSESSION-51b92cc6a561b81c \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-c9df47030e6edeae:SESSION-c9df47030e6edeae\tSESSION-c9df47030e6edeae \u2192 pe:tls:SESSION-c9df47030e6edeae\nFLOW_FROM_HOSTOBS\te:from:SESSION-8946fc29c6b46f6d:host:43.172.194.114\tSESSION-8946fc29c6b46f6d \u2192 host:43.172.194.114\nFLOW_TO_HOSTOBS\te:to:SESSION-ec5c8fa8037e3562:host:172.234.197.23\tSESSION-ec5c8fa8037e3562 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-98342a2659e39b9d:flow:d55b3af6cdbc\tSESSION-98342a2659e39b9d \u2192 flow:d55b3af6cdbc\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-0280199fcf3ea167:host:32.195.50.176\tSESSION-0280199fcf3ea167 \u2192 host:32.195.50.176\nFLOW_TO_HOSTOBS\te:to:SESSION-7b3c407fbcf7cdbc:host:172.234.197.23\tSESSION-7b3c407fbcf7cdbc \u2192 host:172.234.197.23\nHOST_IN_ASNOBS 85%\te:ha:host:43.173.132.115:asn:132203\thost:43.173.132.115 \u2192 asn:132203\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-5ceacf6e3fad521a:host:172.232.0.17\tSESSION-5ceacf6e3fad521a \u2192 host:172.232.0.17\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-afdbc113425d69ae:host:91.227.37.60:host:172.234.197.23\tSESSION-afdbc113425d69ae \u2192 host:91.227.37.60 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-48538346c6e3fa4e:flow:d660fa8ff9b1\tSESSION-48538346c6e3fa4e \u2192 flow:d660fa8ff9b1\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-7b3c407fbcf7cdbc:flow:8c9867a7b467\tSESSION-7b3c407fbcf7cdbc \u2192 flow:8c9867a7b467\nFLOW_TO_HOSTOBS\te:to:SESSION-6f371d3a9290449b:host:172.232.0.17\tSESSION-6f371d3a9290449b \u2192 host:172.232.0.17\nFLOW_DST_PORTOBS\te:fp:flow:c7fc0633636d:port:tcp:443\tflow:c7fc0633636d \u2192 port:tcp:443\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-cef22d690e31564a:host:172.234.197.23:host:172.232.0.17\tSESSION-cef22d690e31564a \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-112a52c8741e1f24:PCAP:capture_20260505160001:6505a8988bcf\tSESSION-112a52c8741e1f24 \u2192 PCAP:capture_20260505160001:6505a8988bcf\nFLOW_DST_PORTOBS\te:fp:flow:70c428feea0e:port:udp:53\tflow:70c428feea0e \u2192 port:udp:53\nFLOW_DST_PORTOBS\te:fp:flow:a34856d5d292:port:tcp:2002\tflow:a34856d5d292 \u2192 port:tcp:2002\nFLOW_HTTP_HOSTOBS\te:fh:flow:696377210741:http_host:172-234-197-23.ip.linodeusercontent.com\tflow:696377210741 \u2192 http_host:172-234-197-23.ip.linodeusercontent.com\nFLOW_FROM_HOSTOBS\te:from:SESSION-4be2484ef7d205f9:host:199.45.155.73\tSESSION-4be2484ef7d205f9 \u2192 host:199.45.155.73\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-5b835c6ebb995a7d:host:5.61.209.107\tSESSION-5b835c6ebb995a7d \u2192 host:5.61.209.107\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-d8e778a85b00d06e:host:13.229.125.1:host:172.234.197.23\tSESSION-d8e778a85b00d06e \u2192 host:13.229.125.1 \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:108.136.220.138:geo_-6.21140_106.84460\thost:108.136.220.138 \u2192 geo_-6.21140_106.84460\nflow_observed4-aryOBS\te:fo:flow:e67e9c201483\tflow:e67e9c201483 \u2192 host:82.86.130.0 \u2192 host:172.234.197.23 \u2192 port:tcp:23\nFLOW_FROM_HOSTOBS\te:from:SESSION-1164951de921d536:host:40.77.167.4\tSESSION-1164951de921d536 \u2192 host:40.77.167.4\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-8f7048e06d096abe:PCAP:capture_20260505200001:d502e7eabbdd\tSESSION-8f7048e06d096abe \u2192 PCAP:capture_20260505200001:d502e7eabbdd\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:108.137.123.21:geo_-6.21140_106.84460\thost:108.137.123.21 \u2192 geo_-6.21140_106.84460\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:51.224.129.180:geo_52.51960_13.40690\thost:51.224.129.180 \u2192 geo_52.51960_13.40690\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-f439a23db4014944:host:14.17.85.204:host:172.234.197.23\tSESSION-f439a23db4014944 \u2192 host:14.17.85.204 \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-e437667b37d516f6:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-e437667b37d516f6 \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-15c7d6c96ae38709:SESSION-15c7d6c96ae38709\tSESSION-15c7d6c96ae38709 \u2192 pe:tls:SESSION-15c7d6c96ae38709\nHOST_IN_ASNOBS 85%\te:ha:host:43.173.132.82:asn:132203\thost:43.173.132.82 \u2192 asn:132203\nFLOW_DST_PORTOBS\te:fp:flow:83a5cffc6703:port:tcp:443\tflow:83a5cffc6703 \u2192 port:tcp:443\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:103.220.165.12:geo_34.77320_113.72200\thost:103.220.165.12 \u2192 geo_34.77320_113.72200\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:rst:SESSION-432ab8a16199cf6c:SESSION-432ab8a16199cf6c\tSESSION-432ab8a16199cf6c \u2192 pe:rst:SESSION-432ab8a16199cf6c\nFLOW_DST_PORTOBS\te:fp:flow:da8d91463c3d:port:tcp:2002\tflow:da8d91463c3d \u2192 port:tcp:2002\nHOST_IN_ASNOBS 85%\te:ha:host:221.156.137.102:asn:4766\thost:221.156.137.102 \u2192 asn:4766\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:108.137.71.172:geo_-6.21140_106.84460\thost:108.137.71.172 \u2192 geo_-6.21140_106.84460\nFLOW_DST_PORTOBS\te:fp:flow:18ab509ee72d:port:tcp:22\tflow:18ab509ee72d \u2192 port:tcp:22\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-d4533a7174934c47:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-d4533a7174934c47 \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nFLOW_DST_PORTOBS\te:fp:flow:f7a277f9998b:port:tcp:21\tflow:f7a277f9998b \u2192 port:tcp:21\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-29997713c592805d:flow:1507855d0ab9\tSESSION-29997713c592805d \u2192 flow:1507855d0ab9\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-432ab8a16199cf6c:SESSION-432ab8a16199cf6c\tSESSION-432ab8a16199cf6c \u2192 pe:syn:SESSION-432ab8a16199cf6c\nFLOW_FROM_HOSTOBS\te:from:SESSION-93e42c11b9b89aaf:host:172.234.197.23\tSESSION-93e42c11b9b89aaf \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-5ceacf6e3fad521a:SESSION-5ceacf6e3fad521a\tSESSION-5ceacf6e3fad521a \u2192 pe:dns:SESSION-5ceacf6e3fad521a\nFLOW_TO_HOSTOBS\te:to:SESSION-98342a2659e39b9d:host:172.234.197.23\tSESSION-98342a2659e39b9d \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-b43027ed299d5e94:host:45.148.10.121:host:172.234.197.23\tSESSION-b43027ed299d5e94 \u2192 host:45.148.10.121 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-afdbc113425d69ae:SESSION-afdbc113425d69ae\tSESSION-afdbc113425d69ae \u2192 pe:syn:SESSION-afdbc113425d69ae\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-93e42c11b9b89aaf:flow:415bdf268435\tSESSION-93e42c11b9b89aaf \u2192 flow:415bdf268435\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-8946fc29c6b46f6d:host:43.172.194.114\tSESSION-8946fc29c6b46f6d \u2192 host:43.172.194.114\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-112a52c8741e1f24:host:5.61.209.107:host:172.234.197.23\tSESSION-112a52c8741e1f24 \u2192 host:5.61.209.107 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-1d2c12c54a6b8ee9:host:172.232.0.17\tSESSION-1d2c12c54a6b8ee9 \u2192 host:172.232.0.17\nFLOW_FROM_HOSTOBS\te:from:SESSION-c260bd1d3b6a172d:host:51.224.123.234\tSESSION-c260bd1d3b6a172d \u2192 host:51.224.123.234\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-4561579556c17060:host:172.234.197.23\tSESSION-4561579556c17060 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-3da8c2fb5a75575f:host:108.136.231.22\tSESSION-3da8c2fb5a75575f \u2192 host:108.136.231.22\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-28d60172800a0b5c:flow:c55c01d60832\tSESSION-28d60172800a0b5c \u2192 flow:c55c01d60832\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-4561579556c17060:host:43.173.132.82:host:172.234.197.23\tSESSION-4561579556c17060 \u2192 host:43.173.132.82 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-9d04f6d7b357bacd:flow:88adc449314f\tSESSION-9d04f6d7b357bacd \u2192 flow:88adc449314f\nHOST_IN_ASNOBS 85%\te:ha:host:91.227.37.60:asn:200780\thost:91.227.37.60 \u2192 asn:200780\nFLOW_DST_PORTOBS\te:fp:flow:7823764fbd64:port:udp:53\tflow:7823764fbd64 \u2192 port:udp:53\nflow_observed5-aryOBS\te:fo:flow:c55c01d60832\tflow:c55c01d60832 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nHOST_IN_ASNOBS 85%\te:ha:host:5.61.209.107:asn:206264\thost:5.61.209.107 \u2192 asn:206264\nFLOW_TO_HOSTOBS\te:to:SESSION-432ab8a16199cf6c:host:172.234.197.23\tSESSION-432ab8a16199cf6c \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-c260bd1d3b6a172d:host:172.234.197.23\tSESSION-c260bd1d3b6a172d \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-90b1be10321455be:host:172.234.197.23\tSESSION-90b1be10321455be \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-22e21c154242e139:PCAP:capture_20260505150001:90690819257f\tSESSION-22e21c154242e139 \u2192 PCAP:capture_20260505150001:90690819257f\nflow_observed3-aryOBS\te:fo:flow:a54692a6979d\tflow:a54692a6979d \u2192 host:51.224.129.180 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-432ab8a16199cf6c:host:92.118.39.196\tSESSION-432ab8a16199cf6c \u2192 host:92.118.39.196\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 65%\te:bsg:SESSION-1d2c12c54a6b8ee9:BSG-BEACON-f6c2b3d0e42d\tSESSION-1d2c12c54a6b8ee9 \u2192 BSG-BEACON-f6c2b3d0e42d\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:92.118.39.196:geo_45.99680_24.99700\thost:92.118.39.196 \u2192 geo_45.99680_24.99700\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-9ac8120baa6b4cb5:PCAP:capture_20260505160001:6505a8988bcf\tSESSION-9ac8120baa6b4cb5 \u2192 PCAP:capture_20260505160001:6505a8988bcf\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-0280199fcf3ea167:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-0280199fcf3ea167 \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nHOST_IN_ASNOBS 85%\te:ha:host:54.226.218.70:asn:14618\thost:54.226.218.70 \u2192 asn:14618\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-8ead85dcd9724179:flow:d71d4a109401\tSESSION-8ead85dcd9724179 \u2192 flow:d71d4a109401\nFLOW_TO_HOSTOBS\te:to:SESSION-b6b6a46eb2435b2c:host:172.232.0.17\tSESSION-b6b6a46eb2435b2c \u2192 host:172.232.0.17\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-5ceacf6e3fad521a:PCAP:capture_20260505210001:fe9b7b09d76a\tSESSION-5ceacf6e3fad521a \u2192 PCAP:capture_20260505210001:fe9b7b09d76a\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-4561579556c17060:SESSION-4561579556c17060\tSESSION-4561579556c17060 \u2192 pe:tls:SESSION-4561579556c17060\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-5d116249fba5ef1a:flow:0433b793a6a9\tSESSION-5d116249fba5ef1a \u2192 flow:0433b793a6a9\nFLOW_TO_HOSTOBS\te:to:SESSION-3936b227c1331c5d:host:172.234.197.23\tSESSION-3936b227c1331c5d \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-d8e778a85b00d06e:PCAP:capture_20260505180001:aab19cafbf97\tSESSION-d8e778a85b00d06e \u2192 PCAP:capture_20260505180001:aab19cafbf97\nflow_observed3-aryOBS\te:fo:flow:8c9867a7b467\tflow:8c9867a7b467 \u2192 host:108.136.220.138 \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-fb52ff5a15515e30:PCAP:capture_20260505210001:fe9b7b09d76a\tSESSION-fb52ff5a15515e30 \u2192 PCAP:capture_20260505210001:fe9b7b09d76a\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-e07d35bac2ad33a9:host:172.234.197.23\tSESSION-e07d35bac2ad33a9 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-15c7d6c96ae38709:host:43.172.194.114:host:172.234.197.23\tSESSION-15c7d6c96ae38709 \u2192 host:43.172.194.114 \u2192 host:172.234.197.23\nHOST_IN_ASNOBS 85%\te:ha:host:54.227.57.227:asn:14618\thost:54.227.57.227 \u2192 asn:14618\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-061b514c6b7df469:SESSION-061b514c6b7df469\tSESSION-061b514c6b7df469 \u2192 pe:tls:SESSION-061b514c6b7df469\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-134b659b9f89c977:SESSION-134b659b9f89c977\tSESSION-134b659b9f89c977 \u2192 pe:dns:SESSION-134b659b9f89c977\nASN_IN_ORGOBS 80%\te:ao:asn:272809:org:THUNDERNET, C.A.\tasn:272809 \u2192 org:THUNDERNET, C.A.\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-28d60172800a0b5c:host:172.234.197.23\tSESSION-28d60172800a0b5c \u2192 host:172.234.197.23\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 75%\te:bsg:SESSION-6809ae9f3f9de168:BSG-BEACON-f6c2b3d0e42d\tSESSION-6809ae9f3f9de168 \u2192 BSG-BEACON-f6c2b3d0e42d\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-f439a23db4014944:SESSION-f439a23db4014944\tSESSION-f439a23db4014944 \u2192 pe:syn:SESSION-f439a23db4014944\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 75%\te:bsg:SESSION-ba31b8d0bcea573c:BSG-BEACON-f6c2b3d0e42d\tSESSION-ba31b8d0bcea573c \u2192 BSG-BEACON-f6c2b3d0e42d\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-b43027ed299d5e94:PCAP:capture_20260505190001:a68bf0af3b16\tSESSION-b43027ed299d5e94 \u2192 PCAP:capture_20260505190001:a68bf0af3b16\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-bf0cece70f740446:host:172.234.197.23\tSESSION-bf0cece70f740446 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-061b514c6b7df469:SESSION-061b514c6b7df469\tSESSION-061b514c6b7df469 \u2192 pe:syn:SESSION-061b514c6b7df469\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-08dd2a06bab4a852:host:172.234.197.23:host:172.232.0.17\tSESSION-08dd2a06bab4a852 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nFLOW_TO_HOSTOBS\te:to:SESSION-9ac8120baa6b4cb5:host:172.234.197.23\tSESSION-9ac8120baa6b4cb5 \u2192 host:172.234.197.23\nflow_observed3-aryOBS\te:fo:flow:d9cdb794d862\tflow:d9cdb794d862 \u2192 host:51.224.214.156 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-8f7048e06d096abe:host:92.118.39.236\tSESSION-8f7048e06d096abe \u2192 host:92.118.39.236\nFLOW_FROM_HOSTOBS\te:from:SESSION-48258acdb44fa51f:host:51.224.145.152\tSESSION-48258acdb44fa51f \u2192 host:51.224.145.152\nFLOW_QUERIED_DNSOBS\te:fd:flow:67de7fac861b:dns:172-234-197-23.ip.linodeusercontent.com\tflow:67de7fac861b \u2192 dns:172-234-197-23.ip.linodeusercontent.com\nFLOW_QUERIED_DNSOBS\te:fd:flow:0f6e4fea1ebd:dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\tflow:0f6e4fea1ebd \u2192 dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\nFLOW_DST_PORTOBS\te:fp:flow:fd30f5960ad1:port:tcp:443\tflow:fd30f5960ad1 \u2192 port:tcp:443\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-6f371d3a9290449b:host:172.232.0.17\tSESSION-6f371d3a9290449b \u2192 host:172.232.0.17\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-6f591a82d04e2f23:PCAP:capture_20260505150001:90690819257f\tSESSION-6f591a82d04e2f23 \u2192 PCAP:capture_20260505150001:90690819257f\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-6161ce1063e366a2:host:172.234.197.23\tSESSION-6161ce1063e366a2 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-901a03ef18d43905:host:78.153.140.149:host:172.234.197.23\tSESSION-901a03ef18d43905 \u2192 host:78.153.140.149 \u2192 host:172.234.197.23\nFLOW_DST_PORTOBS\te:fp:flow:a0f73d4e1f2a:port:udp:53\tflow:a0f73d4e1f2a \u2192 port:udp:53\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:82.86.130.0:geo_10.48730_-66.87380\thost:82.86.130.0 \u2192 geo_10.48730_-66.87380\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-fb52ff5a15515e30:host:199.45.155.73\tSESSION-fb52ff5a15515e30 \u2192 host:199.45.155.73\nflow_observed3-aryOBS\te:fo:flow:f56c5e5e9322\tflow:f56c5e5e9322 \u2192 host:103.220.165.12 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-90b1be10321455be:flow:9bafda49b279\tSESSION-90b1be10321455be \u2192 flow:9bafda49b279\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-c9df47030e6edeae:PCAP:capture_20260505200001:d502e7eabbdd\tSESSION-c9df47030e6edeae \u2192 PCAP:capture_20260505200001:d502e7eabbdd\nFLOW_TO_HOSTOBS\te:to:SESSION-859dff0703adcd19:host:172.234.197.23\tSESSION-859dff0703adcd19 \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:78.153.140.149:geo_51.51640_-0.09300\thost:78.153.140.149 \u2192 geo_51.51640_-0.09300\nFLOW_DST_PORTOBS\te:fp:flow:67de7fac861b:port:udp:53\tflow:67de7fac861b \u2192 port:udp:53\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-bb030de157a28a92:host:51.224.129.180\tSESSION-bb030de157a28a92 \u2192 host:51.224.129.180\nFLOW_FROM_HOSTOBS\te:from:SESSION-22dca0f7e254df40:host:108.136.246.109\tSESSION-22dca0f7e254df40 \u2192 host:108.136.246.109\nFLOW_FROM_HOSTOBS\te:from:SESSION-d1d3131167e5d8a7:host:172.234.197.23\tSESSION-d1d3131167e5d8a7 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-15c7d6c96ae38709:host:43.172.194.114\tSESSION-15c7d6c96ae38709 \u2192 host:43.172.194.114\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-22e21c154242e139:host:108.136.195.128:host:172.234.197.23\tSESSION-22e21c154242e139 \u2192 host:108.136.195.128 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-449dd50fe1669698:flow:d2aa3d958328\tSESSION-449dd50fe1669698 \u2192 flow:d2aa3d958328\nPORT_IMPLIED_SERVICEIMP 70%\te:ps:port:udp:53:svc:dns\tport:udp:53 \u2192 svc:dns\nFLOW_DST_PORTOBS\te:fp:flow:1507855d0ab9:port:udp:53\tflow:1507855d0ab9 \u2192 port:udp:53\nflow_observed5-aryOBS\te:fo:flow:a4dceb0b502c\tflow:a4dceb0b502c \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-061b514c6b7df469:host:172.236.119.165:host:172.234.197.23\tSESSION-061b514c6b7df469 \u2192 host:172.236.119.165 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-6f591a82d04e2f23:host:172.234.197.23\tSESSION-6f591a82d04e2f23 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-ac2fa7388db2f6bf:host:172.234.197.23\tSESSION-ac2fa7388db2f6bf \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-51b92cc6a561b81c:host:54.227.57.227:host:172.234.197.23\tSESSION-51b92cc6a561b81c \u2192 host:54.227.57.227 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:rst:SESSION-6161ce1063e366a2:SESSION-6161ce1063e366a2\tSESSION-6161ce1063e366a2 \u2192 pe:rst:SESSION-6161ce1063e366a2\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-48538346c6e3fa4e:host:172.234.197.23:host:92.118.39.236\tSESSION-48538346c6e3fa4e \u2192 host:172.234.197.23 \u2192 host:92.118.39.236\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 75%\te:bsg:SESSION-b6b6a46eb2435b2c:BSG-BEACON-f6c2b3d0e42d\tSESSION-b6b6a46eb2435b2c \u2192 BSG-BEACON-f6c2b3d0e42d\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-29997713c592805d:PCAP:capture_20260505210001:fe9b7b09d76a\tSESSION-29997713c592805d \u2192 PCAP:capture_20260505210001:fe9b7b09d76a\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-b43027ed299d5e94:host:172.234.197.23\tSESSION-b43027ed299d5e94 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-402c59976f95ccac:host:172.232.0.17\tSESSION-402c59976f95ccac \u2192 host:172.232.0.17\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-989e93673dd1c7a6:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-989e93673dd1c7a6 \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-6809ae9f3f9de168:host:172.234.197.23\tSESSION-6809ae9f3f9de168 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-1e693ff8754b6a4b:SESSION-1e693ff8754b6a4b\tSESSION-1e693ff8754b6a4b \u2192 pe:dns:SESSION-1e693ff8754b6a4b\nFLOW_TO_HOSTOBS\te:to:SESSION-4561579556c17060:host:172.234.197.23\tSESSION-4561579556c17060 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-b6b6a46eb2435b2c:host:172.234.197.23:host:172.232.0.17\tSESSION-b6b6a46eb2435b2c \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nHOST_IN_ASNOBS 85%\te:ha:host:108.136.246.109:asn:16509\thost:108.136.246.109 \u2192 asn:16509\nHOST_IN_ASNOBS 85%\te:ha:host:14.152.83.244:asn:134763\thost:14.152.83.244 \u2192 asn:134763\nHOST_IN_ASNOBS 85%\te:ha:host:108.136.195.128:asn:16509\thost:108.136.195.128 \u2192 asn:16509\nFLOW_FROM_HOSTOBS\te:from:SESSION-5d116249fba5ef1a:host:14.152.83.244\tSESSION-5d116249fba5ef1a \u2192 host:14.152.83.244\nflow_observed3-aryOBS\te:fo:flow:27bcaa9bf1c4\tflow:27bcaa9bf1c4 \u2192 host:13.250.21.18 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-90b1be10321455be:host:172.98.199.111:host:172.234.197.23\tSESSION-90b1be10321455be \u2192 host:172.98.199.111 \u2192 host:172.234.197.23\nFLOW_DST_PORTOBS\te:fp:flow:f2155c27e443:port:tcp:80\tflow:f2155c27e443 \u2192 port:tcp:80\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-e437667b37d516f6:flow:a697fcd98900\tSESSION-e437667b37d516f6 \u2192 flow:a697fcd98900\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-48258acdb44fa51f:host:51.224.145.152:host:172.234.197.23\tSESSION-48258acdb44fa51f \u2192 host:51.224.145.152 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-ac2fa7388db2f6bf:host:172.234.197.23\tSESSION-ac2fa7388db2f6bf \u2192 host:172.234.197.23\nHOST_IN_ASNOBS 85%\te:ha:host:78.153.140.149:asn:202306\thost:78.153.140.149 \u2192 asn:202306\nFLOW_FROM_HOSTOBS\te:from:SESSION-a74e44c20494fb3b:host:51.224.16.78\tSESSION-a74e44c20494fb3b \u2192 host:51.224.16.78\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-5b835c6ebb995a7d:PCAP:capture_20260505160001:6505a8988bcf\tSESSION-5b835c6ebb995a7d \u2192 PCAP:capture_20260505160001:6505a8988bcf\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-4d8ee5a4e3d2c6cb:host:108.137.71.172\tSESSION-4d8ee5a4e3d2c6cb \u2192 host:108.137.71.172\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-56879d86cd26b6ef:host:172.234.197.23:host:172.232.0.17\tSESSION-56879d86cd26b6ef \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-52ca69764e41f269:PCAP:capture_20260505190001:a68bf0af3b16\tSESSION-52ca69764e41f269 \u2192 PCAP:capture_20260505190001:a68bf0af3b16\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-402c59976f95ccac:PCAP:capture_20260505190001:a68bf0af3b16\tSESSION-402c59976f95ccac \u2192 PCAP:capture_20260505190001:a68bf0af3b16\nFLOW_DST_PORTOBS\te:fp:flow:40d85800a99d:port:udp:53\tflow:40d85800a99d \u2192 port:udp:53\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-402c59976f95ccac:host:172.232.0.17\tSESSION-402c59976f95ccac \u2192 host:172.232.0.17\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-5ad6262f0c135833:host:16.78.103.11:host:172.234.197.23\tSESSION-5ad6262f0c135833 \u2192 host:16.78.103.11 \u2192 host:172.234.197.23\nflow_observed5-aryOBS\te:fo:flow:c7fc0633636d\tflow:c7fc0633636d \u2192 host:40.77.167.4 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nFLOW_FROM_HOSTOBS\te:from:SESSION-b43027ed299d5e94:host:45.148.10.121\tSESSION-b43027ed299d5e94 \u2192 host:45.148.10.121\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-22dca0f7e254df40:host:108.136.246.109\tSESSION-22dca0f7e254df40 \u2192 host:108.136.246.109\nFLOW_FROM_HOSTOBS\te:from:SESSION-8f7048e06d096abe:host:172.234.197.23\tSESSION-8f7048e06d096abe \u2192 host:172.234.197.23\nHOST_IN_ASNOBS 85%\te:ha:host:172.234.197.23:asn:63949\thost:172.234.197.23 \u2192 asn:63949\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-90d5b2c6338c7815:host:82.86.130.0\tSESSION-90d5b2c6338c7815 \u2192 host:82.86.130.0\nFLOW_FROM_HOSTOBS\te:from:SESSION-402c59976f95ccac:host:172.234.197.23\tSESSION-402c59976f95ccac \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-48538346c6e3fa4e:host:172.234.197.23\tSESSION-48538346c6e3fa4e \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-d1099e585fa36f54:host:172.234.197.23\tSESSION-d1099e585fa36f54 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-432ab8a16199cf6c:flow:cbf075d8966a\tSESSION-432ab8a16199cf6c \u2192 flow:cbf075d8966a\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:172.232.0.17:geo_41.88350_-87.63050\thost:172.232.0.17 \u2192 geo_41.88350_-87.63050\nHOST_IN_ASNOBS 85%\te:ha:host:14.17.85.204:asn:134763\thost:14.17.85.204 \u2192 asn:134763\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-b6b6a46eb2435b2c:PCAP:capture_20260505150001:90690819257f\tSESSION-b6b6a46eb2435b2c \u2192 PCAP:capture_20260505150001:90690819257f\nflow_observed3-aryOBS\te:fo:flow:02ba1d809494\tflow:02ba1d809494 \u2192 host:103.155.16.117 \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-c260bd1d3b6a172d:PCAP:capture_20260505150001:90690819257f\tSESSION-c260bd1d3b6a172d \u2192 PCAP:capture_20260505150001:90690819257f\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 90%\te:bsg:SESSION-08dd2a06bab4a852:BSG-BEACON-f6c2b3d0e42d\tSESSION-08dd2a06bab4a852 \u2192 BSG-BEACON-f6c2b3d0e42d\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-afdbc113425d69ae:flow:fb0a88ae25c4\tSESSION-afdbc113425d69ae \u2192 flow:fb0a88ae25c4\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-061b514c6b7df469:host:172.234.197.23\tSESSION-061b514c6b7df469 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-432ab8a16199cf6c:host:172.234.197.23\tSESSION-432ab8a16199cf6c \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-53f109edd419cdc2:host:172.234.197.23\tSESSION-53f109edd419cdc2 \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-08dd2a06bab4a852:PCAP:capture_20260505200001:d502e7eabbdd\tSESSION-08dd2a06bab4a852 \u2192 PCAP:capture_20260505200001:d502e7eabbdd\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-f439a23db4014944:host:172.234.197.23\tSESSION-f439a23db4014944 \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:14.17.85.204:geo_34.77320_113.72200\thost:14.17.85.204 \u2192 geo_34.77320_113.72200\nHOST_IN_ASNOBS 85%\te:ha:host:13.216.252.177:asn:14618\thost:13.216.252.177 \u2192 asn:14618\nFLOW_TO_HOSTOBS\te:to:SESSION-1d2c12c54a6b8ee9:host:172.232.0.17\tSESSION-1d2c12c54a6b8ee9 \u2192 host:172.232.0.17\nFLOW_FROM_HOSTOBS\te:from:SESSION-90b1be10321455be:host:172.98.199.111\tSESSION-90b1be10321455be \u2192 host:172.98.199.111\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-b6b6a46eb2435b2c:flow:84372b4c9378\tSESSION-b6b6a46eb2435b2c \u2192 flow:84372b4c9378\nflow_observed5-aryOBS\te:fo:flow:88adc449314f\tflow:88adc449314f \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nFLOW_TO_HOSTOBS\te:to:SESSION-48538346c6e3fa4e:host:92.118.39.236\tSESSION-48538346c6e3fa4e \u2192 host:92.118.39.236\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-061c5d7701fcd16d:PCAP:capture_20260505160001:6505a8988bcf\tSESSION-061c5d7701fcd16d \u2192 PCAP:capture_20260505160001:6505a8988bcf\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-52ca69764e41f269:host:172.234.197.23\tSESSION-52ca69764e41f269 \u2192 host:172.234.197.23\nflow_observed3-aryOBS\te:fo:flow:9bafda49b279\tflow:9bafda49b279 \u2192 host:172.98.199.111 \u2192 host:172.234.197.23\nflow_observed3-aryOBS\te:fo:flow:dd59f847be17\tflow:dd59f847be17 \u2192 host:108.137.71.172 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-1e693ff8754b6a4b:host:172.234.197.23:host:172.232.0.17\tSESSION-1e693ff8754b6a4b \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nFLOW_DST_PORTOBS\te:fp:flow:d71d4a109401:port:tcp:443\tflow:d71d4a109401 \u2192 port:tcp:443\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-c28f30a8568677bd:host:172.234.197.23\tSESSION-c28f30a8568677bd \u2192 host:172.234.197.23\nflow_observed3-aryOBS\te:fo:flow:c704ad95df18\tflow:c704ad95df18 \u2192 host:103.155.16.117 \u2192 host:172.234.197.23\nHOST_IN_ASNOBS 85%\te:ha:host:18.138.243.16:asn:16509\thost:18.138.243.16 \u2192 asn:16509\nFLOW_FROM_HOSTOBS\te:from:SESSION-b6b6a46eb2435b2c:host:172.234.197.23\tSESSION-b6b6a46eb2435b2c \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-d4533a7174934c47:host:172.232.0.17\tSESSION-d4533a7174934c47 \u2192 host:172.232.0.17\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:43.173.132.115:geo_1.29390_103.84610\thost:43.173.132.115 \u2192 geo_1.29390_103.84610\nFLOW_FROM_HOSTOBS\te:from:SESSION-15c7d6c96ae38709:host:43.172.194.114\tSESSION-15c7d6c96ae38709 \u2192 host:43.172.194.114\nflow_observed5-aryOBS\te:fo:flow:9177236cf88d\tflow:9177236cf88d \u2192 host:5.61.209.107 \u2192 host:172.234.197.23 \u2192 port:tcp:80 \u2192 svc:http\nFLOW_TLS_SNIOBS\te:fs:flow:fd30f5960ad1:tls_sni:172-234-197-23.ip.linodeusercontent.com\tflow:fd30f5960ad1 \u2192 tls_sni:172-234-197-23.ip.linodeusercontent.com\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-548e9314b3086ca9:host:3.143.162.210:host:172.234.197.23\tSESSION-548e9314b3086ca9 \u2192 host:3.143.162.210 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-08dd2a06bab4a852:host:172.234.197.23\tSESSION-08dd2a06bab4a852 \u2192 host:172.234.197.23\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 90%\te:bsg:SESSION-134b659b9f89c977:BSG-BEACON-f6c2b3d0e42d\tSESSION-134b659b9f89c977 \u2192 BSG-BEACON-f6c2b3d0e42d\nFLOW_DST_PORTOBS\te:fp:flow:a17816cafef4:port:tcp:443\tflow:a17816cafef4 \u2192 port:tcp:443\nFLOW_QUERIED_DNSOBS\te:fd:flow:cf8bff248bec:dns:172-234-197-23.ip.linodeusercontent.com\tflow:cf8bff248bec \u2192 dns:172-234-197-23.ip.linodeusercontent.com\nFLOW_DST_PORTOBS\te:fp:flow:d660fa8ff9b1:port:tcp:46006\tflow:d660fa8ff9b1 \u2192 port:tcp:46006\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 65%\te:bsg:SESSION-ac2fa7388db2f6bf:BSG-BEACON-f6c2b3d0e42d\tSESSION-ac2fa7388db2f6bf \u2192 BSG-BEACON-f6c2b3d0e42d\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-b6b6a46eb2435b2c:SESSION-b6b6a46eb2435b2c\tSESSION-b6b6a46eb2435b2c \u2192 pe:dns:SESSION-b6b6a46eb2435b2c\nFLOW_TO_HOSTOBS\te:to:SESSION-5ceacf6e3fad521a:host:172.232.0.17\tSESSION-5ceacf6e3fad521a \u2192 host:172.232.0.17\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-d4533a7174934c47:SESSION-d4533a7174934c47\tSESSION-d4533a7174934c47 \u2192 pe:dns:SESSION-d4533a7174934c47\nFLOW_HTTP_HOSTOBS\te:fh:flow:4501038c119d:http_host:172-234-197-23.ip.linodeusercontent.com\tflow:4501038c119d \u2192 http_host:172-234-197-23.ip.linodeusercontent.com\nFLOW_FROM_HOSTOBS\te:from:SESSION-34afdab6201869ee:host:51.224.53.243\tSESSION-34afdab6201869ee \u2192 host:51.224.53.243\nASN_IN_ORGOBS 80%\te:ao:asn:48090:org:Techoff Srv Limited\tasn:48090 \u2192 org:Techoff Srv Limited\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-9d04f6d7b357bacd:host:172.234.197.23\tSESSION-9d04f6d7b357bacd \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-6809ae9f3f9de168:PCAP:capture_20260505180001:aab19cafbf97\tSESSION-6809ae9f3f9de168 \u2192 PCAP:capture_20260505180001:aab19cafbf97\nFLOW_TO_HOSTOBS\te:to:SESSION-9d04f6d7b357bacd:host:172.232.0.17\tSESSION-9d04f6d7b357bacd \u2192 host:172.232.0.17\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-98342a2659e39b9d:host:172.234.197.23\tSESSION-98342a2659e39b9d \u2192 host:172.234.197.23\nFLOW_HTTP_HOSTOBS\te:fh:flow:f2155c27e443:http_host:172.234.197.23\tflow:f2155c27e443 \u2192 http_host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-48538346c6e3fa4e:PCAP:capture_20260505200001:d502e7eabbdd\tSESSION-48538346c6e3fa4e \u2192 PCAP:capture_20260505200001:d502e7eabbdd\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-4561579556c17060:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-4561579556c17060 \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-d4533a7174934c47:host:172.234.197.23\tSESSION-d4533a7174934c47 \u2192 host:172.234.197.23\nFLOW_DST_PORTOBS\te:fp:flow:7ac69d00b687:port:udp:53\tflow:7ac69d00b687 \u2192 port:udp:53\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-a74e44c20494fb3b:host:51.224.16.78:host:172.234.197.23\tSESSION-a74e44c20494fb3b \u2192 host:51.224.16.78 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-ec5c8fa8037e3562:host:103.155.16.117\tSESSION-ec5c8fa8037e3562 \u2192 host:103.155.16.117\nflow_observed3-aryOBS\te:fo:flow:a4bc84010efc\tflow:a4bc84010efc \u2192 host:108.136.195.128 \u2192 host:172.234.197.23\nASN_IN_ORGOBS 80%\te:ao:asn:41231:org:Canonical Group Limited\tasn:41231 \u2192 org:Canonical Group Limited\nFLOW_TO_HOSTOBS\te:to:SESSION-d4533a7174934c47:host:172.232.0.17\tSESSION-d4533a7174934c47 \u2192 host:172.232.0.17\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-d1d3131167e5d8a7:host:172.234.197.23\tSESSION-d1d3131167e5d8a7 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-29997713c592805d:host:172.232.0.17\tSESSION-29997713c592805d \u2192 host:172.232.0.17\nflow_observed5-aryOBS\te:fo:flow:cbf075d8966a\tflow:cbf075d8966a \u2192 host:92.118.39.196 \u2192 host:172.234.197.23 \u2192 port:tcp:22 \u2192 svc:ssh\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:54.226.218.70:geo_39.04690_-77.49030\thost:54.226.218.70 \u2192 geo_39.04690_-77.49030\nFLOW_TLS_SNIOBS\te:fs:flow:bcd27756aa40:tls_sni:172-234-197-23.ip.linodeusercontent.com\tflow:bcd27756aa40 \u2192 tls_sni:172-234-197-23.ip.linodeusercontent.com\nflow_observed5-aryOBS\te:fo:flow:18ab509ee72d\tflow:18ab509ee72d \u2192 host:221.156.137.102 \u2192 host:172.234.197.23 \u2192 port:tcp:22 \u2192 svc:ssh\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:51.224.145.152:geo_52.51960_13.40690\thost:51.224.145.152 \u2192 geo_52.51960_13.40690\nFLOW_TO_HOSTOBS\te:to:SESSION-56879d86cd26b6ef:host:172.232.0.17\tSESSION-56879d86cd26b6ef \u2192 host:172.232.0.17\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-3936b227c1331c5d:PCAP:capture_20260505150001:90690819257f\tSESSION-3936b227c1331c5d \u2192 PCAP:capture_20260505150001:90690819257f\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-134b659b9f89c977:PCAP:capture_20260505200001:d502e7eabbdd\tSESSION-134b659b9f89c977 \u2192 PCAP:capture_20260505200001:d502e7eabbdd\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-cef22d690e31564a:PCAP:capture_20260505190001:a68bf0af3b16\tSESSION-cef22d690e31564a \u2192 PCAP:capture_20260505190001:a68bf0af3b16\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:5.61.209.107:geo_-4.58330_55.66670\thost:5.61.209.107 \u2192 geo_-4.58330_55.66670\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-6f371d3a9290449b:flow:cf8bff248bec\tSESSION-6f371d3a9290449b \u2192 flow:cf8bff248bec\nflow_observed3-aryOBS\te:fo:flow:3b056e5c7d7c\tflow:3b056e5c7d7c \u2192 host:108.136.231.22 \u2192 host:172.234.197.23\nFLOW_QUERIED_DNSOBS\te:fd:flow:a4dceb0b502c:dns:api.snapcraft.io\tflow:a4dceb0b502c \u2192 dns:api.snapcraft.io\nFLOW_DST_PORTOBS\te:fp:flow:cbf075d8966a:port:tcp:22\tflow:cbf075d8966a \u2192 port:tcp:22\nFLOW_DST_PORTOBS\te:fp:flow:0433b793a6a9:port:tcp:443\tflow:0433b793a6a9 \u2192 port:tcp:443\nFLOW_TO_HOSTOBS\te:to:SESSION-8f7048e06d096abe:host:92.118.39.236\tSESSION-8f7048e06d096abe \u2192 host:92.118.39.236\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-1f42c1a2508937e6:PCAP:capture_20260505200001:d502e7eabbdd\tSESSION-1f42c1a2508937e6 \u2192 PCAP:capture_20260505200001:d502e7eabbdd\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 50%\te:bsg:SESSION-6161ce1063e366a2:BSG-DATA_EXFIL-93085dcb8f6d\tSESSION-6161ce1063e366a2 \u2192 BSG-DATA_EXFIL-93085dcb8f6d\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-6161ce1063e366a2:flow:83a5cffc6703\tSESSION-6161ce1063e366a2 \u2192 flow:83a5cffc6703\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-5b835c6ebb995a7d:host:5.61.209.107:host:172.234.197.23\tSESSION-5b835c6ebb995a7d \u2192 host:5.61.209.107 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-859dff0703adcd19:host:78.153.140.149:host:172.234.197.23\tSESSION-859dff0703adcd19 \u2192 host:78.153.140.149 \u2192 host:172.234.197.23\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 90%\te:bsg:SESSION-5ceacf6e3fad521a:BSG-BEACON-f6c2b3d0e42d\tSESSION-5ceacf6e3fad521a \u2192 BSG-BEACON-f6c2b3d0e42d\nFLOW_FROM_HOSTOBS\te:from:SESSION-90d5b2c6338c7815:host:82.86.130.0\tSESSION-90d5b2c6338c7815 \u2192 host:82.86.130.0\nHOST_IN_ASNOBS 85%\te:ha:host:108.136.231.22:asn:16509\thost:108.136.231.22 \u2192 asn:16509\nFLOW_TLS_SNIOBS\te:fs:flow:fb0a88ae25c4:tls_sni:172-234-197-23.ip.linodeusercontent.com\tflow:fb0a88ae25c4 \u2192 tls_sni:172-234-197-23.ip.linodeusercontent.com\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-5ad6262f0c135833:PCAP:capture_20260505150001:90690819257f\tSESSION-5ad6262f0c135833 \u2192 PCAP:capture_20260505150001:90690819257f\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-28d60172800a0b5c:SESSION-28d60172800a0b5c\tSESSION-28d60172800a0b5c \u2192 pe:dns:SESSION-28d60172800a0b5c\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-a74e44c20494fb3b:host:51.224.16.78\tSESSION-a74e44c20494fb3b \u2192 host:51.224.16.78\nflow_observed3-aryOBS\te:fo:flow:a4f2cd6ce2f7\tflow:a4f2cd6ce2f7 \u2192 host:13.229.125.1 \u2192 host:172.234.197.23\nPORT_IMPLIED_SERVICEIMP 70%\te:ps:port:tcp:80:svc:http\tport:tcp:80 \u2192 svc:http\nflow_observed4-aryOBS\te:fo:flow:da8d91463c3d\tflow:da8d91463c3d \u2192 host:199.45.155.73 \u2192 host:172.234.197.23 \u2192 port:tcp:2002\nFLOW_TO_HOSTOBS\te:to:SESSION-134b659b9f89c977:host:172.232.0.17\tSESSION-134b659b9f89c977 \u2192 host:172.232.0.17\nFLOW_FROM_HOSTOBS\te:from:SESSION-5ad6262f0c135833:host:16.78.103.11\tSESSION-5ad6262f0c135833 \u2192 host:16.78.103.11\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-34afdab6201869ee:host:172.234.197.23\tSESSION-34afdab6201869ee \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-1164951de921d536:flow:bcd27756aa40\tSESSION-1164951de921d536 \u2192 flow:bcd27756aa40\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-8ead85dcd9724179:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-8ead85dcd9724179 \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-98342a2659e39b9d:host:102.69.167.14\tSESSION-98342a2659e39b9d \u2192 host:102.69.167.14\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:rst:SESSION-8f7048e06d096abe:SESSION-8f7048e06d096abe\tSESSION-8f7048e06d096abe \u2192 pe:rst:SESSION-8f7048e06d096abe\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-112a52c8741e1f24:SESSION-112a52c8741e1f24\tSESSION-112a52c8741e1f24 \u2192 pe:syn:SESSION-112a52c8741e1f24\nHOST_IN_ASNOBS 85%\te:ha:host:43.172.194.114:asn:132203\thost:43.172.194.114 \u2192 asn:132203\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-48538346c6e3fa4e:host:172.234.197.23\tSESSION-48538346c6e3fa4e \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-432ab8a16199cf6c:PCAP:capture_20260505210001:fe9b7b09d76a\tSESSION-432ab8a16199cf6c \u2192 PCAP:capture_20260505210001:fe9b7b09d76a\nFLOW_FROM_HOSTOBS\te:from:SESSION-859dff0703adcd19:host:78.153.140.149\tSESSION-859dff0703adcd19 \u2192 host:78.153.140.149\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-22dca0f7e254df40:flow:ea0949f415db\tSESSION-22dca0f7e254df40 \u2192 flow:ea0949f415db\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-1e693ff8754b6a4b:host:172.232.0.17\tSESSION-1e693ff8754b6a4b \u2192 host:172.232.0.17\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-134b659b9f89c977:host:172.234.197.23:host:172.232.0.17\tSESSION-134b659b9f89c977 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nHOST_IN_ASNOBS 85%\te:ha:host:103.220.165.12:asn:138421\thost:103.220.165.12 \u2192 asn:138421\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:44.203.55.60:geo_39.04690_-77.49030\thost:44.203.55.60 \u2192 geo_39.04690_-77.49030\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-9d04f6d7b357bacd:host:172.232.0.17\tSESSION-9d04f6d7b357bacd \u2192 host:172.232.0.17\nHOST_IN_ASNOBS 85%\te:ha:host:108.137.71.172:asn:16509\thost:108.137.71.172 \u2192 asn:16509\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:108.136.231.22:geo_-6.21140_106.84460\thost:108.136.231.22 \u2192 geo_-6.21140_106.84460\nHOST_IN_ASNOBS 85%\te:ha:host:45.148.10.121:asn:48090\thost:45.148.10.121 \u2192 asn:48090\nFLOW_DST_PORTOBS\te:fp:flow:ef50ec85480c:port:tcp:80\tflow:ef50ec85480c \u2192 port:tcp:80\nHOST_IN_ASNOBS 85%\te:ha:host:108.137.123.21:asn:16509\thost:108.137.123.21 \u2192 asn:16509\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-061c5d7701fcd16d:host:172.234.197.23\tSESSION-061c5d7701fcd16d \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-6809ae9f3f9de168:SESSION-6809ae9f3f9de168\tSESSION-6809ae9f3f9de168 \u2192 pe:dns:SESSION-6809ae9f3f9de168\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-5ceacf6e3fad521a:host:172.234.197.23\tSESSION-5ceacf6e3fad521a \u2192 host:172.234.197.23\nHOST_IN_ASNOBS 85%\te:ha:host:51.224.123.234:asn:16509\thost:51.224.123.234 \u2192 asn:16509\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-ba31b8d0bcea573c:host:172.234.197.23\tSESSION-ba31b8d0bcea573c \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-c28f30a8568677bd:host:54.237.9.199\tSESSION-c28f30a8568677bd \u2192 host:54.237.9.199\nflow_observed5-aryOBS\te:fo:flow:415bdf268435\tflow:415bdf268435 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nflow_observed5-aryOBS\te:fo:flow:3a5125854ad8\tflow:3a5125854ad8 \u2192 host:172.236.119.165 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-3936b227c1331c5d:host:108.136.231.22\tSESSION-3936b227c1331c5d \u2192 host:108.136.231.22\nFLOW_FROM_HOSTOBS\te:from:SESSION-98342a2659e39b9d:host:102.69.167.14\tSESSION-98342a2659e39b9d \u2192 host:102.69.167.14\nFLOW_QUERIED_DNSOBS\te:fd:flow:40d85800a99d:dns:172-234-197-23.ip.linodeusercontent.com\tflow:40d85800a99d \u2192 dns:172-234-197-23.ip.linodeusercontent.com\nFLOW_FROM_HOSTOBS\te:from:SESSION-c70914c01a4dbe00:host:221.156.137.102\tSESSION-c70914c01a4dbe00 \u2192 host:221.156.137.102\nFLOW_DST_PORTOBS\te:fp:flow:cf8bff248bec:port:udp:53\tflow:cf8bff248bec \u2192 port:udp:53\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-989e93673dd1c7a6:host:14.17.85.204:host:172.234.197.23\tSESSION-989e93673dd1c7a6 \u2192 host:14.17.85.204 \u2192 host:172.234.197.23\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 50%\te:bsg:SESSION-52ca69764e41f269:BSG-DATA_EXFIL-b6d7f24ac366\tSESSION-52ca69764e41f269 \u2192 BSG-DATA_EXFIL-b6d7f24ac366\nflow_observed5-aryOBS\te:fo:flow:0433b793a6a9\tflow:0433b793a6a9 \u2192 host:14.152.83.244 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nflow_observed5-aryOBS\te:fo:flow:449957d41315\tflow:449957d41315 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nFLOW_FROM_HOSTOBS\te:from:SESSION-ec5c8fa8037e3562:host:103.155.16.117\tSESSION-ec5c8fa8037e3562 \u2192 host:103.155.16.117\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-4d8ee5a4e3d2c6cb:host:108.137.71.172:host:172.234.197.23\tSESSION-4d8ee5a4e3d2c6cb \u2192 host:108.137.71.172 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-afdbc113425d69ae:host:91.227.37.60\tSESSION-afdbc113425d69ae \u2192 host:91.227.37.60\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-2defdff48f63b22c:host:13.216.252.177\tSESSION-2defdff48f63b22c \u2192 host:13.216.252.177\nflow_observed5-aryOBS\te:fo:flow:7823764fbd64\tflow:7823764fbd64 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:tls:SESSION-6161ce1063e366a2:SESSION-6161ce1063e366a2\tSESSION-6161ce1063e366a2 \u2192 pe:tls:SESSION-6161ce1063e366a2\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:45.148.10.121:geo_52.37590_4.89750\thost:45.148.10.121 \u2192 geo_52.37590_4.89750\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-ad1c4ddd91bc1148:host:172.234.197.23\tSESSION-ad1c4ddd91bc1148 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-22dca0f7e254df40:host:108.136.246.109:host:172.234.197.23\tSESSION-22dca0f7e254df40 \u2192 host:108.136.246.109 \u2192 host:172.234.197.23\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:rst:SESSION-98342a2659e39b9d:SESSION-98342a2659e39b9d\tSESSION-98342a2659e39b9d \u2192 pe:rst:SESSION-98342a2659e39b9d\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-d8e778a85b00d06e:host:13.229.125.1\tSESSION-d8e778a85b00d06e \u2192 host:13.229.125.1\nFLOW_HTTP_HOSTOBS\te:fh:flow:1914bb7cc20f:http_host:172-234-197-23.ip.linodeusercontent.com\tflow:1914bb7cc20f \u2192 http_host:172-234-197-23.ip.linodeusercontent.com\nFLOW_TO_HOSTOBS\te:to:SESSION-22dca0f7e254df40:host:172.234.197.23\tSESSION-22dca0f7e254df40 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-3da8c2fb5a75575f:host:172.234.197.23\tSESSION-3da8c2fb5a75575f \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-c70914c01a4dbe00:host:172.234.197.23\tSESSION-c70914c01a4dbe00 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-6161ce1063e366a2:host:172.234.197.23:host:185.125.188.57\tSESSION-6161ce1063e366a2 \u2192 host:172.234.197.23 \u2192 host:185.125.188.57\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-901a03ef18d43905:SESSION-901a03ef18d43905\tSESSION-901a03ef18d43905 \u2192 pe:syn:SESSION-901a03ef18d43905\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-d1d3131167e5d8a7:PCAP:capture_20260505180001:aab19cafbf97\tSESSION-d1d3131167e5d8a7 \u2192 PCAP:capture_20260505180001:aab19cafbf97\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-5ceacf6e3fad521a:flow:70c428feea0e\tSESSION-5ceacf6e3fad521a \u2192 flow:70c428feea0e\nflow_observed5-aryOBS\te:fo:flow:7ac69d00b687\tflow:7ac69d00b687 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 65%\te:bsg:SESSION-402c59976f95ccac:BSG-BEACON-f6c2b3d0e42d\tSESSION-402c59976f95ccac \u2192 BSG-BEACON-f6c2b3d0e42d\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-901a03ef18d43905:flow:f2155c27e443\tSESSION-901a03ef18d43905 \u2192 flow:f2155c27e443\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:172.236.119.165:geo_41.88350_-87.63050\thost:172.236.119.165 \u2192 geo_41.88350_-87.63050\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-83e825ce567e05ed:flow:d9cdb794d862\tSESSION-83e825ce567e05ed \u2192 flow:d9cdb794d862\nFLOW_QUERIED_DNSOBS\te:fd:flow:8089546c59de:dns:172-234-197-23.ip.linodeusercontent.com\tflow:8089546c59de \u2192 dns:172-234-197-23.ip.linodeusercontent.com\nflow_observed3-aryOBS\te:fo:flow:d7d8a1790678\tflow:d7d8a1790678 \u2192 host:51.224.123.234 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-a4e2d049e521c4ea:host:172.234.197.23\tSESSION-a4e2d049e521c4ea \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-989e93673dd1c7a6:host:14.17.85.204\tSESSION-989e93673dd1c7a6 \u2192 host:14.17.85.204\nFLOW_DST_PORTOBS\te:fp:flow:415bdf268435:port:udp:53\tflow:415bdf268435 \u2192 port:udp:53\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-fb52ff5a15515e30:flow:a34856d5d292\tSESSION-fb52ff5a15515e30 \u2192 flow:a34856d5d292\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-7b3c407fbcf7cdbc:host:172.234.197.23\tSESSION-7b3c407fbcf7cdbc \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-e437667b37d516f6:host:172.234.197.23\tSESSION-e437667b37d516f6 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-c260bd1d3b6a172d:host:172.234.197.23\tSESSION-c260bd1d3b6a172d \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-d96f4e3d10a0a4f0:host:103.155.16.117:host:172.234.197.23\tSESSION-d96f4e3d10a0a4f0 \u2192 host:103.155.16.117 \u2192 host:172.234.197.23\nASN_IN_ORGOBS 80%\te:ao:asn:206264:org:Amarutu Technology Ltd\tasn:206264 \u2192 org:Amarutu Technology Ltd\nflow_observed3-aryOBS\te:fo:flow:02b1e8c8b192\tflow:02b1e8c8b192 \u2192 host:103.155.16.117 \u2192 host:172.234.197.23\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 75%\te:bsg:SESSION-56879d86cd26b6ef:BSG-BEACON-f6c2b3d0e42d\tSESSION-56879d86cd26b6ef \u2192 BSG-BEACON-f6c2b3d0e42d\nFLOW_QUERIED_DNSOBS\te:fd:flow:415bdf268435:dns:172-234-197-23.ip.linodeusercontent.com\tflow:415bdf268435 \u2192 dns:172-234-197-23.ip.linodeusercontent.com\nFLOW_FROM_HOSTOBS\te:from:SESSION-6161ce1063e366a2:host:172.234.197.23\tSESSION-6161ce1063e366a2 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-1f42c1a2508937e6:flow:c704ad95df18\tSESSION-1f42c1a2508937e6 \u2192 flow:c704ad95df18\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:3.220.15.173:geo_39.04690_-77.49030\thost:3.220.15.173 \u2192 geo_39.04690_-77.49030\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-ba31b8d0bcea573c:SESSION-ba31b8d0bcea573c\tSESSION-ba31b8d0bcea573c \u2192 pe:dns:SESSION-ba31b8d0bcea573c\nFLOW_TO_HOSTOBS\te:to:SESSION-8ead85dcd9724179:host:172.234.197.23\tSESSION-8ead85dcd9724179 \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-51b92cc6a561b81c:PCAP:capture_20260505150001:90690819257f\tSESSION-51b92cc6a561b81c \u2192 PCAP:capture_20260505150001:90690819257f\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-112a52c8741e1f24:flow:9177236cf88d\tSESSION-112a52c8741e1f24 \u2192 flow:9177236cf88d\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-7b3c407fbcf7cdbc:host:108.136.220.138:host:172.234.197.23\tSESSION-7b3c407fbcf7cdbc \u2192 host:108.136.220.138 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-93e42c11b9b89aaf:host:172.234.197.23:host:172.232.0.17\tSESSION-93e42c11b9b89aaf \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-cc46316b9ac69b28:host:108.136.195.128:host:172.234.197.23\tSESSION-cc46316b9ac69b28 \u2192 host:108.136.195.128 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-112a52c8741e1f24:host:5.61.209.107\tSESSION-112a52c8741e1f24 \u2192 host:5.61.209.107\nflow_observed3-aryOBS\te:fo:flow:3b21f9ede7cb\tflow:3b21f9ede7cb \u2192 host:108.137.123.21 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-4561579556c17060:host:43.173.132.82\tSESSION-4561579556c17060 \u2192 host:43.173.132.82\nHOST_IN_ASNOBS 85%\te:ha:host:16.78.103.11:asn:16509\thost:16.78.103.11 \u2192 asn:16509\nFLOW_FROM_HOSTOBS\te:from:SESSION-8ead85dcd9724179:host:43.173.187.143\tSESSION-8ead85dcd9724179 \u2192 host:43.173.187.143\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-8ead85dcd9724179:host:43.173.187.143:host:172.234.197.23\tSESSION-8ead85dcd9724179 \u2192 host:43.173.187.143 \u2192 host:172.234.197.23\nHOST_IN_ASNOBS 85%\te:ha:host:172.236.119.165:asn:63949\thost:172.236.119.165 \u2192 asn:63949\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-53f109edd419cdc2:host:16.79.76.70:host:172.234.197.23\tSESSION-53f109edd419cdc2 \u2192 host:16.79.76.70 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-d8e778a85b00d06e:host:172.234.197.23\tSESSION-d8e778a85b00d06e \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-061c5d7701fcd16d:host:172.234.197.23\tSESSION-061c5d7701fcd16d \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-2defdff48f63b22c:host:13.216.252.177:host:172.234.197.23\tSESSION-2defdff48f63b22c \u2192 host:13.216.252.177 \u2192 host:172.234.197.23\nHOST_IN_ASNOBS 85%\te:ha:host:102.69.167.14:asn:328436\thost:102.69.167.14 \u2192 asn:328436\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-c28f30a8568677bd:flow:7027314e9f62\tSESSION-c28f30a8568677bd \u2192 flow:7027314e9f62\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-ec5c8fa8037e3562:host:103.155.16.117:host:172.234.197.23\tSESSION-ec5c8fa8037e3562 \u2192 host:103.155.16.117 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-51b92cc6a561b81c:flow:fd30f5960ad1\tSESSION-51b92cc6a561b81c \u2192 flow:fd30f5960ad1\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-afdbc113425d69ae:PCAP:capture_20260505210001:fe9b7b09d76a\tSESSION-afdbc113425d69ae \u2192 PCAP:capture_20260505210001:fe9b7b09d76a\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-1e693ff8754b6a4b:PCAP:capture_20260505160001:6505a8988bcf\tSESSION-1e693ff8754b6a4b \u2192 PCAP:capture_20260505160001:6505a8988bcf\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-ec5c8fa8037e3562:PCAP:capture_20260505160001:6505a8988bcf\tSESSION-ec5c8fa8037e3562 \u2192 PCAP:capture_20260505160001:6505a8988bcf\nFLOW_TO_HOSTOBS\te:to:SESSION-e437667b37d516f6:host:172.234.197.23\tSESSION-e437667b37d516f6 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-15c7d6c96ae38709:host:172.234.197.23\tSESSION-15c7d6c96ae38709 \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-c28f30a8568677bd:host:172.234.197.23\tSESSION-c28f30a8568677bd \u2192 host:172.234.197.23\nFLOW_TO_HOSTOBS\te:to:SESSION-d8e778a85b00d06e:host:172.234.197.23\tSESSION-d8e778a85b00d06e \u2192 host:172.234.197.23\nASN_IN_ORGOBS 80%\te:ao:asn:14618:org:Amazon.com, Inc.\tasn:14618 \u2192 org:Amazon.com, Inc.\nFLOW_TO_HOSTOBS\te:to:SESSION-22e21c154242e139:host:172.234.197.23\tSESSION-22e21c154242e139 \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-d1d3131167e5d8a7:host:172.232.0.17\tSESSION-d1d3131167e5d8a7 \u2192 host:172.232.0.17\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:185.125.188.57:geo_51.49640_-0.12240\thost:185.125.188.57 \u2192 geo_51.49640_-0.12240\nHOST_IN_ASNOBS 85%\te:ha:host:13.229.125.1:asn:16509\thost:13.229.125.1 \u2192 asn:16509\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-e07d35bac2ad33a9:host:43.173.132.115:host:172.234.197.23\tSESSION-e07d35bac2ad33a9 \u2192 host:43.173.132.115 \u2192 host:172.234.197.23\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-c28f30a8568677bd:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-c28f30a8568677bd \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-8ead85dcd9724179:SESSION-8ead85dcd9724179\tSESSION-8ead85dcd9724179 \u2192 pe:syn:SESSION-8ead85dcd9724179\nFLOW_TLS_SNIOBS\te:fs:flow:441658b54583:tls_sni:172-234-197-23.ip.linodeusercontent.com\tflow:441658b54583 \u2192 tls_sni:172-234-197-23.ip.linodeusercontent.com\nFLOW_DST_PORTOBS\te:fp:flow:8089546c59de:port:udp:53\tflow:8089546c59de \u2192 port:udp:53\nflow_observed5-aryOBS\te:fo:flow:4501038c119d\tflow:4501038c119d \u2192 host:3.220.15.173 \u2192 host:172.234.197.23 \u2192 port:tcp:80 \u2192 svc:http\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-cc46316b9ac69b28:host:108.136.195.128\tSESSION-cc46316b9ac69b28 \u2192 host:108.136.195.128\nflow_observed5-aryOBS\te:fo:flow:8089546c59de\tflow:8089546c59de \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-29997713c592805d:host:172.234.197.23\tSESSION-29997713c592805d \u2192 host:172.234.197.23\nflow_observed5-aryOBS\te:fo:flow:fd30f5960ad1\tflow:fd30f5960ad1 \u2192 host:54.227.57.227 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-90b1be10321455be:host:172.98.199.111\tSESSION-90b1be10321455be \u2192 host:172.98.199.111\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:172.98.199.111:geo_37.75100_-97.82200\thost:172.98.199.111 \u2192 geo_37.75100_-97.82200\nFLOW_FROM_HOSTOBS\te:from:SESSION-cc46316b9ac69b28:host:108.136.195.128\tSESSION-cc46316b9ac69b28 \u2192 host:108.136.195.128\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-c70914c01a4dbe00:SESSION-c70914c01a4dbe00\tSESSION-c70914c01a4dbe00 \u2192 pe:syn:SESSION-c70914c01a4dbe00\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-d96f4e3d10a0a4f0:flow:02b1e8c8b192\tSESSION-d96f4e3d10a0a4f0 \u2192 flow:02b1e8c8b192\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-ad1c4ddd91bc1148:PCAP:capture_20260505150001:90690819257f\tSESSION-ad1c4ddd91bc1148 \u2192 PCAP:capture_20260505150001:90690819257f\nFLOW_FROM_HOSTOBS\te:from:SESSION-4561579556c17060:host:43.173.132.82\tSESSION-4561579556c17060 \u2192 host:43.173.132.82\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-c70914c01a4dbe00:host:221.156.137.102\tSESSION-c70914c01a4dbe00 \u2192 host:221.156.137.102\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:13.250.21.18:geo_1.29390_103.84610\thost:13.250.21.18 \u2192 geo_1.29390_103.84610\nFLOW_DST_PORTOBS\te:fp:flow:449957d41315:port:udp:53\tflow:449957d41315 \u2192 port:udp:53\nFLOW_TO_HOSTOBS\te:to:SESSION-6f591a82d04e2f23:host:172.234.197.23\tSESSION-6f591a82d04e2f23 \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-90d5b2c6338c7815:host:82.86.130.0:host:172.234.197.23\tSESSION-90d5b2c6338c7815 \u2192 host:82.86.130.0 \u2192 host:172.234.197.23\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-c260bd1d3b6a172d:flow:d7d8a1790678\tSESSION-c260bd1d3b6a172d \u2192 flow:d7d8a1790678\nflow_observed5-aryOBS\te:fo:flow:84372b4c9378\tflow:84372b4c9378 \u2192 host:172.234.197.23 \u2192 host:172.232.0.17 \u2192 port:udp:53 \u2192 svc:dns\nFLOW_FROM_HOSTOBS\te:from:SESSION-548e9314b3086ca9:host:3.143.162.210\tSESSION-548e9314b3086ca9 \u2192 host:3.143.162.210\nFLOW_DST_PORTOBS\te:fp:flow:d55b3af6cdbc:port:tcp:443\tflow:d55b3af6cdbc \u2192 port:tcp:443\nFLOW_TO_HOSTOBS\te:to:SESSION-0280199fcf3ea167:host:172.234.197.23\tSESSION-0280199fcf3ea167 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-5b835c6ebb995a7d:host:5.61.209.107\tSESSION-5b835c6ebb995a7d \u2192 host:5.61.209.107\nHOST_IN_ASNOBS 85%\te:ha:host:44.203.55.60:asn:14618\thost:44.203.55.60 \u2192 asn:14618\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-859dff0703adcd19:PCAP:capture_20260505210001:fe9b7b09d76a\tSESSION-859dff0703adcd19 \u2192 PCAP:capture_20260505210001:fe9b7b09d76a\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-bb030de157a28a92:PCAP:capture_20260505170001:ca2a90108bf2\tSESSION-bb030de157a28a92 \u2192 PCAP:capture_20260505170001:ca2a90108bf2\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 65%\te:bsg:SESSION-cef22d690e31564a:BSG-BEACON-f6c2b3d0e42d\tSESSION-cef22d690e31564a \u2192 BSG-BEACON-f6c2b3d0e42d\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-4d8ee5a4e3d2c6cb:host:172.234.197.23\tSESSION-4d8ee5a4e3d2c6cb \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-8946fc29c6b46f6d:host:172.234.197.23\tSESSION-8946fc29c6b46f6d \u2192 host:172.234.197.23\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:40.77.167.4:geo_36.66940_-78.38770\thost:40.77.167.4 \u2192 geo_36.66940_-78.38770\nflow_observed3-aryOBS\te:fo:flow:4ddbe4acc504\tflow:4ddbe4acc504 \u2192 host:32.195.50.176 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-53f109edd419cdc2:host:16.79.76.70\tSESSION-53f109edd419cdc2 \u2192 host:16.79.76.70\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-6f591a82d04e2f23:flow:5f0f49123cd7\tSESSION-6f591a82d04e2f23 \u2192 flow:5f0f49123cd7\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-56879d86cd26b6ef:host:172.234.197.23\tSESSION-56879d86cd26b6ef \u2192 host:172.234.197.23\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-6f371d3a9290449b:host:172.234.197.23:host:172.232.0.17\tSESSION-6f371d3a9290449b \u2192 host:172.234.197.23 \u2192 host:172.232.0.17\nflow_observed5-aryOBS\te:fo:flow:a17816cafef4\tflow:a17816cafef4 \u2192 host:43.172.194.114 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nFLOW_QUERIED_DNSOBS\te:fd:flow:1507855d0ab9:dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\tflow:1507855d0ab9 \u2192 dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-8946fc29c6b46f6d:flow:1ef937ba29a6\tSESSION-8946fc29c6b46f6d \u2192 flow:1ef937ba29a6\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-4be2484ef7d205f9:flow:da8d91463c3d\tSESSION-4be2484ef7d205f9 \u2192 flow:da8d91463c3d\nHOST_GEO_ESTIMATEOBS 60%\te:hg:host:43.173.132.82:geo_1.29390_103.84610\thost:43.173.132.82 \u2192 geo_1.29390_103.84610\nFLOW_QUERIED_DNSOBS\te:fd:flow:484583ddd05a:dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\tflow:484583ddd05a \u2192 dns:172-234-197-23.ip.linodeusercontent.com.members.linode.com\nFLOW_DST_PORTOBS\te:fp:flow:84372b4c9378:port:udp:53\tflow:84372b4c9378 \u2192 port:udp:53\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-449dd50fe1669698:PCAP:capture_20260505180001:aab19cafbf97\tSESSION-449dd50fe1669698 \u2192 PCAP:capture_20260505180001:aab19cafbf97\nSESSION_MEMBER_OF_BEHAVIOR_GROUPOBS 90%\te:bsg:SESSION-9d04f6d7b357bacd:BSG-BEACON-f6c2b3d0e42d\tSESSION-9d04f6d7b357bacd \u2192 BSG-BEACON-f6c2b3d0e42d\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-c70914c01a4dbe00:PCAP:capture_20260505180001:aab19cafbf97\tSESSION-c70914c01a4dbe00 \u2192 PCAP:capture_20260505180001:aab19cafbf97\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-48538346c6e3fa4e:host:92.118.39.236\tSESSION-48538346c6e3fa4e \u2192 host:92.118.39.236\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-5d116249fba5ef1a:host:172.234.197.23\tSESSION-5d116249fba5ef1a \u2192 host:172.234.197.23\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-901a03ef18d43905:host:78.153.140.149\tSESSION-901a03ef18d43905 \u2192 host:78.153.140.149\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:syn:SESSION-6161ce1063e366a2:SESSION-6161ce1063e366a2\tSESSION-6161ce1063e366a2 \u2192 pe:syn:SESSION-6161ce1063e366a2\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-6809ae9f3f9de168:flow:c853014c7a67\tSESSION-6809ae9f3f9de168 \u2192 flow:c853014c7a67\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-afdbc113425d69ae:host:91.227.37.60\tSESSION-afdbc113425d69ae \u2192 host:91.227.37.60\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-e07d35bac2ad33a9:flow:696377210741\tSESSION-e07d35bac2ad33a9 \u2192 flow:696377210741\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-449dd50fe1669698:host:18.138.243.16\tSESSION-449dd50fe1669698 \u2192 host:18.138.243.16\nSESSION_OBSERVED_HOSTOBS\te:soh:SESSION-b43027ed299d5e94:host:45.148.10.121\tSESSION-b43027ed299d5e94 \u2192 host:45.148.10.121\nSESSION_DERIVED_FROM_PCAPOBS\te:derived:SESSION-9d04f6d7b357bacd:PCAP:capture_20260505200001:d502e7eabbdd\tSESSION-9d04f6d7b357bacd \u2192 PCAP:capture_20260505200001:d502e7eabbdd\nflow_observed3-aryOBS\te:fo:flow:c79e28885a99\tflow:c79e28885a99 \u2192 host:51.224.53.243 \u2192 host:172.234.197.23\nflow_observed5-aryOBS\te:fo:flow:fb0a88ae25c4\tflow:fb0a88ae25c4 \u2192 host:91.227.37.60 \u2192 host:172.234.197.23 \u2192 port:tcp:443 \u2192 svc:https\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-08dd2a06bab4a852:SESSION-08dd2a06bab4a852\tSESSION-08dd2a06bab4a852 \u2192 pe:dns:SESSION-08dd2a06bab4a852\nSESSION_OBSERVED_FLOWOBS\te:sof:SESSION-b43027ed299d5e94:flow:daf8c45d27ff\tSESSION-b43027ed299d5e94 \u2192 flow:daf8c45d27ff\nflow_observed3-aryOBS\te:fo:flow:4e35f51811d2\tflow:4e35f51811d2 \u2192 host:16.78.103.11 \u2192 host:172.234.197.23\nFLOW_QUERIED_DNSOBS\te:fd:flow:c55c01d60832:dns:172-234-197-23.ip.linodeusercontent.com\tflow:c55c01d60832 \u2192 dns:172-234-197-23.ip.linodeusercontent.com\nSESSION_CONTAINS_EVENTOBS\te:pe:pe:dns:SESSION-1d2c12c54a6b8ee9:SESSION-1d2c12c54a6b8ee9\tSESSION-1d2c12c54a6b8ee9 \u2192 pe:dns:SESSION-1d2c12c54a6b8ee9\nFLOW_FROM_HOSTOBS\te:from:SESSION-ad1c4ddd91bc1148:host:3.220.15.173\tSESSION-ad1c4ddd91bc1148 \u2192 host:3.220.15.173\nSESSION_BETWEEN_HOSTS3-aryOBS\te:sbh:SESSION-bb030de157a28a92:host:51.224.129.180:host:172.234.197.23\tSESSION-bb030de157a28a92 \u2192 host:51.224.129.180 \u2192 host:172.234.197.23\nFLOW_FROM_HOSTOBS\te:from:SESSION-d8e778a85b00d06e:host:13.229.125.1\tSESSION-d8e778a85b00d06e \u2192 host:13.229.125.1<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":2,"featured_media":2464,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"class_list":["post-5893","page","type-page","status-publish","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/neurosphere-2.tail52f848.ts.net\/wordpress\/index.php?rest_route=\/wp\/v2\/pages\/5893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/neurosphere-2.tail52f848.ts.net\/wordpress\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/neurosphere-2.tail52f848.ts.net\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/neurosphere-2.tail52f848.ts.net\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/neurosphere-2.tail52f848.ts.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5893"}],"version-history":[{"count":7,"href":"https:\/\/neurosphere-2.tail52f848.ts.net\/wordpress\/index.php?rest_route=\/wp\/v2\/pages\/5893\/revisions"}],"predecessor-version":[{"id":5904,"href":"https:\/\/neurosphere-2.tail52f848.ts.net\/wordpress\/index.php?rest_route=\/wp\/v2\/pages\/5893\/revisions\/5904"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/neurosphere-2.tail52f848.ts.net\/wordpress\/index.php?rest_route=\/wp\/v2\/media\/2464"}],"wp:attachment":[{"href":"https:\/\/neurosphere-2.tail52f848.ts.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}