Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year. I have sorted the activity by months that shows the evolution of files uploaded to the sensors each month. The activity peaked during the winter months (Dec 2025 – Feb 2026) and started decreasing in March 2026 for each sensor.
ES|QL Query by Sensor
FROM cowrie*
| WHERE threat.indicator.provider == “virustotal”
| WHERE related.hash IS NOT NULL
| WHERE threat.indicator.file.type IS NOT NULL
| WHERE threat.software.name IS NOT NULL
| SORT @timestamp DESC
| STATS Total=COUNT(related.hash) BY FileType=threat.indicator.file.type, agent.name=BUCKET(@timestamp, 50, ?_tstart, ?_tend)
Past Year of Files Uploaded to Dshield Sensors
This example displays the activity by file type (8) for a one-year period. The file type uploaded or downloaded to the sensor are ELF, Shell script, Powershell, HTML, Text, unknown, DOS batch file and JavaScript.
ES|QL Activity by File Type
FROM cowrie*
| WHERE threat.indicator.provider == “virustotal”
| WHERE related.hash IS NOT NULL
| WHERE threat.indicator.file.type IS NOT NULL
| WHERE threat.software.name IS NOT NULL
| WHERE threat.indicator.name IS NOT NULL
| SORT @timestamp DESC
| STATS Total=COUNT(related.hash) BY agent.name, threat.indicator.name=BUCKET(@timestamp, 50, ?_tstart, ?_tend)
To monitor the type of files uploaded or downloaded to the sensor, using the cowrie_vt.sh [3] Python Jesse’s script [4], it provides a daily list of hash files that are stored on the sensor and can be monitored within the DShield SIEM [2].
[1] https://isc.sans.edu/tools/honeypot/
[2] https://github.com/bruneaug/DShield-SIEM
[3] https://github.com/bruneaug/DShield-Sensor/blob/main/sensor_scripts/cowrie_vt.sh
[4] https://raw.githubusercontent.com/jslagrew/cowrieprocessor/main/cowrie_malware_enrichment.py
———–
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.