[ { "log_type": "linux_auth", "timestamp": "2026-05-10T09:00:12Z", "hostname": "bastion01.prod.fintech-core.internal", "service": "sshd", "event_type": "authentication_success", "source_ip": "10.20.30.14", "user": "ops_admin", "raw_message": "Accepted publickey for ops_admin from 10.20.30.14 port 54412 ssh2: RSA SHA256:8d:2a:11:9c" }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:00:15Z", "hostname": "bastion01.prod.fintech-core.internal", "service": "sshd", "event_type": "session_opened", "source_ip": "10.20.30.14", "user": "ops_admin", "raw_message": "pam_unix(sshd:session): session opened for user ops_admin by (uid=0)" }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:01:03Z", "hostname": "app01.prod.fintech-core.internal", "service": "sudo", "event_type": "session_opened", "source_ip": null, "user": "ops_admin", "raw_message": "ops_admin : TTY=pts/1 ; PWD=/opt/fintech ; USER=root ; COMMAND=/usr/bin/systemctl restart payments-api" }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:02:10Z", "client_ip": "10.20.40.55", "request_method": "GET", "request_path": "/", "status_code": 200, "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/124.0.0.0 Safari/537.36", "payload_signature": null }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:02:11Z", "client_ip": "10.20.40.55", "request_method": "GET", "request_path": "/assets/app.js", "status_code": 200, "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/124.0.0.0 Safari/537.36", "payload_signature": null }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:02:11Z", "client_ip": "10.20.40.55", "request_method": "GET", "request_path": "/assets/styles.css", "status_code": 200, "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/124.0.0.0 Safari/537.36", "payload_signature": null }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:02:14Z", "client_ip": "10.20.40.55", "request_method": "GET", "request_path": "/favicon.ico", "status_code": 200, "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/124.0.0.0 Safari/537.36", "payload_signature": null }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:03:08Z", "client_ip": "10.20.41.22", "request_method": "GET", "request_path": "/login", "status_code": 200, "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4) AppleWebKit/605.1.15 Version/17.4 Safari/605.1.15", "payload_signature": null }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:03:19Z", "client_ip": "10.20.41.22", "request_method": "POST", "request_path": "/api/v1/session", "status_code": 200, "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4) AppleWebKit/605.1.15 Version/17.4 Safari/605.1.15", "payload_signature": null }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:04:01Z", "hostname": "db01.prod.fintech-core.internal", "service": "sshd", "event_type": "authentication_success", "source_ip": "10.20.30.14", "user": "ops_admin", "raw_message": "Accepted publickey for ops_admin from 10.20.30.14 port 54501 ssh2: ED25519 SHA256:2f:0d:8b:ce" }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:04:04Z", "hostname": "db01.prod.fintech-core.internal", "service": "sshd", "event_type": "session_opened", "source_ip": "10.20.30.14", "user": "ops_admin", "raw_message": "pam_unix(sshd:session): session opened for user ops_admin by (uid=0)" }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:05:33Z", "client_ip": "172.16.8.19", "request_method": "GET", "request_path": "/healthz", "status_code": 200, "user_agent": "kube-probe/1.29", "payload_signature": null }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:06:10Z", "client_ip": "10.20.42.61", "request_method": "GET", "request_path": "/api/v1/accounts/summary", "status_code": 200, "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/123.0.0.0 Safari/537.36", "payload_signature": null }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:06:47Z", "hostname": "app02.prod.fintech-core.internal", "service": "sudo", "event_type": "session_opened", "source_ip": null, "user": "secops", "raw_message": "secops : TTY=pts/2 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/journalctl -u nginx --since '5 min ago'" }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:07:18Z", "client_ip": "10.20.43.77", "request_method": "GET", "request_path": "/assets/logo.svg", "status_code": 200, "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 17_4 like Mac OS X) AppleWebKit/605.1.15 Mobile/15E148", "payload_signature": null }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:07:20Z", "client_ip": "10.20.43.77", "request_method": "GET", "request_path": "/assets/fonts/ibm-plex-sans.woff2", "status_code": 200, "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 17_4 like Mac OS X) AppleWebKit/605.1.15 Mobile/15E148", "payload_signature": null }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:08:05Z", "hostname": "app01.prod.fintech-core.internal", "service": "sshd", "event_type": "authentication_success", "source_ip": "10.20.30.14", "user": "deploy", "raw_message": "Accepted publickey for deploy from 10.20.30.14 port 55110 ssh2: ECDSA SHA256:11:74:d1:90" }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:08:06Z", "hostname": "app01.prod.fintech-core.internal", "service": "sshd", "event_type": "session_opened", "source_ip": "10.20.30.14", "user": "deploy", "raw_message": "pam_unix(sshd:session): session opened for user deploy by (uid=0)" }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:09:42Z", "client_ip": "10.20.44.13", "request_method": "GET", "request_path": "/api/v1/transactions?limit=25", "status_code": 200, "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/124.0.0.0 Safari/537.36", "payload_signature": null }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:10:02Z", "client_ip": "172.16.8.19", "request_method": "GET", "request_path": "/readyz", "status_code": 200, "user_agent": "kube-probe/1.29", "payload_signature": null }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:10:44Z", "hostname": "bastion01.prod.fintech-core.internal", "service": "sudo", "event_type": "session_opened", "source_ip": null, "user": "ops_admin", "raw_message": "ops_admin : TTY=pts/0 ; PWD=/home/ops_admin ; USER=root ; COMMAND=/usr/bin/tail -n 200 /var/log/auth.log" }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:12:09Z", "client_ip": "185.220.101.45", "request_method": "GET", "request_path": "/api/v1/users?email=' OR 1=1 --", "status_code": 403, "user_agent": "sqlmap/1.8.5#stable", "payload_signature": "SQLI_TAUTOLOGY_OR_1_EQ_1" }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:12:21Z", "client_ip": "185.220.101.45", "request_method": "GET", "request_path": "/search?q=%3Cscript%3Ealert('xss')%3C%2Fscript%3E", "status_code": 403, "user_agent": "Mozilla/5.0 (compatible; ReconBot/2.1)", "payload_signature": "XSS_SCRIPT_TAG_IN_QUERY" }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:12:58Z", "hostname": "app01.prod.fintech-core.internal", "service": "sshd", "event_type": "authentication_failed", "source_ip": "185.220.101.45", "user": "root", "raw_message": "Failed password for root from 185.220.101.45 port 60211 ssh2" }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:13:11Z", "hostname": "app01.prod.fintech-core.internal", "service": "sshd", "event_type": "authentication_failed", "source_ip": "91.240.118.172", "user": "admin", "raw_message": "Failed password for invalid user admin from 91.240.118.172 port 42544 ssh2" }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:13:23Z", "hostname": "app01.prod.fintech-core.internal", "service": "sshd", "event_type": "authentication_failed", "source_ip": "103.77.192.66", "user": "oracle", "raw_message": "Failed password for invalid user oracle from 103.77.192.66 port 33318 ssh2" }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:13:47Z", "client_ip": "45.146.165.9", "request_method": "GET", "request_path": "/?file=../../../../etc/passwd", "status_code": 403, "user_agent": "curl/8.6.0", "payload_signature": "LFI_PATH_TRAVERSAL_DOTDOT" }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:14:05Z", "client_ip": "203.0.113.212", "request_method": "GET", "request_path": "/api/v1/export?format=csv;cat%20/etc/shadow", "status_code": 403, "user_agent": "python-requests/2.32.3", "payload_signature": "CMDI_SHELL_METACHAR_SEQUENCE" }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:14:22Z", "hostname": "db01.prod.fintech-core.internal", "service": "sudo", "event_type": "authentication_failed", "source_ip": null, "user": "intern", "raw_message": "intern : 3 incorrect password attempts ; TTY=pts/5 ; PWD=/home/intern ; USER=root ; COMMAND=/bin/su -" }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:14:49Z", "hostname": "bastion01.prod.fintech-core.internal", "service": "sudo", "event_type": "authentication_failed", "source_ip": null, "user": "www-data", "raw_message": "www-data is not in the sudoers file. This incident will be reported." }, { "log_type": "nginx_waf", "timestamp": "2026-05-10T09:15:03Z", "client_ip": "198.51.100.77", "request_method": "GET", "request_path": "/login?next=https://evil.example/%0d%0aSet-Cookie:session=steal", "status_code": 403, "user_agent": "Mozilla/5.0 zgrab/0.x", "payload_signature": "CRLF_HEADER_INJECTION" }, { "log_type": "linux_auth", "timestamp": "2026-05-10T09:15:31Z", "hostname": "app02.prod.fintech-core.internal", "service": "sshd", "event_type": "authentication_failed", "source_ip": "185.220.101.45", "user": "deploy", "raw_message": "maximum authentication attempts exceeded for deploy from 185.220.101.45 port 60320 ssh2 [preauth]" } ]