Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th)

Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year. I have sorted the activity by months that shows the evolution of files uploaded to the sensors each month. The activity peaked during the winter months (Dec 2025 - Feb 2026) and started decreasing in March 2026 for each sensor. ES|QL Query by Sensor FROM cowrie* | WHERE threat.indicator.provider == virustotal | WHERE related.hash IS NOT NULL | WHERE threat.indicator.file.type IS NOT NULL | WHERE threat.software.name IS NOT NULL | SORT @timestamp DESC | STATS Total=COUNT(related.hash) BY FileType=threat.indicator.file.type, agent.name=BUCKET(@timestamp, 50, ?_tstart, ?_tend) Past Year of Files Uploaded to Dshield Sensors This example displays the activity by file type (8) for a one-year period. The file type uploaded or downloaded to the sensor are ELF, Shell script, Powershell, HTML, Text, unknown, DOS batch file and JavaScript. ES|QL Activity by File Type FROM cowrie* | WHERE threat.indicator.provider == virustotal | WHERE related.hash IS NOT NULL | WHERE threat.indicator.file.type IS NOT NULL | WHERE threat.software.name IS NOT NULL | WHERE threat.indicator.name IS NOT NULL | SORT @timestamp DESC | STATS Total=COUNT(related.hash) BY agent.name, threat.indicator.name=BUCKET(@timestamp, 50, ?_tstart, ?_tend) To monitor the type of files uploaded or downloaded to the sensor, using the cowrie_vt.sh [ 3 ] Python Jesse's script [ 4 ], it provides a daily list of hash files that are stored on the sensor and can be monitored within the DShield SIEM [ 2 ]. [1] https://isc.sans.edu/tools/honeypot/ [2] https://github.com/bruneaug/DShield-SIEM [3] https://github.com/bruneaug/DShield-Sensor/blob/main/sensor_scripts/cowrie_vt.sh [4] https://raw.githubusercontent.com/jslagrew/cowrieprocessor/main/cowrie_malware_enrichment.py ----------- Guy Bruneau IPSS Inc. My GitHub Page Twitter: GuyBruneau gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.