{"id":3388,"date":"2026-05-28T20:04:03","date_gmt":"2026-05-28T20:04:03","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/"},"modified":"2026-05-28T20:04:03","modified_gmt":"2026-05-28T20:04:03","slug":"analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/","title":{"rendered":"Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th)"},"content":{"rendered":"
\n

Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year.\u00a0I have sorted the activity by months that shows the evolution of files uploaded to the sensors each month. The activity peaked during the winter months (Dec 2025 – Feb 2026) and started decreasing in March 2026 for each sensor.<\/p>\n

\"\"<\/p>\n

ES|QL Query by Sensor<\/strong><\/span><\/p>\n

FROM cowrie*\u00a0
\n| WHERE threat.indicator.provider == “virustotal”
\n| WHERE related.hash IS NOT NULL
\n| WHERE threat.indicator.file.type IS NOT NULL
\n| WHERE threat.software.name IS NOT NULL
\n| SORT @timestamp DESC
\n| STATS Total=COUNT(related.hash) BY FileType=threat.indicator.file.type, agent.name=BUCKET(@timestamp, 50, ?_tstart, ?_tend)<\/span><\/p>\n

Past Year of Files Uploaded to Dshield Sensors<\/span><\/strong><\/p>\n

This example displays the activity by file type (8) for a one-year period.\u00a0The file type uploaded or downloaded to the sensor are ELF, Shell script, Powershell, HTML, Text, unknown, DOS batch file and JavaScript.<\/p>\n

\"\"<\/p>\n

ES|QL Activity by File Type<\/strong><\/span><\/p>\n

FROM cowrie*\u00a0
\n| WHERE threat.indicator.provider == “virustotal”
\n| WHERE related.hash IS NOT NULL
\n| WHERE threat.indicator.file.type IS NOT NULL
\n| WHERE threat.software.name IS NOT NULL
\n| WHERE\u00a0 threat.indicator.name IS NOT NULL
\n| SORT @timestamp DESC
\n| STATS Total=COUNT(related.hash) BY agent.name, threat.indicator.name=BUCKET(@timestamp, 50, ?_tstart, ?_tend)<\/span><\/p>\n

To monitor the type of files uploaded or downloaded to the sensor, using the cowrie_vt.sh [3<\/a>] Python Jesse’s<\/a> script [4<\/a>], it provides a daily list of hash files that are stored on the sensor and can be monitored within the DShield SIEM [2<\/a>].<\/p>\n

[1] https:\/\/isc.sans.edu\/tools\/honeypot\/
\n[2] https:\/\/github.com\/bruneaug\/DShield-SIEM
\n[3] https:\/\/github.com\/bruneaug\/DShield-Sensor\/blob\/main\/sensor_scripts\/cowrie_vt.sh
\n[4] https:\/\/raw.githubusercontent.com\/jslagrew\/cowrieprocessor\/main\/cowrie_malware_enrichment.py<\/p>\n

———–
\nGuy Bruneau IPSS Inc.<\/a>
\nMy GitHub Page<\/a>
\nTwitter: GuyBruneau<\/a>
\ngbruneau at isc dot sans dot edu<\/p>\n

(c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year.\u00a0I have sorted the activity by months that shows the evolution of files uploaded to the sensors […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-3388","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nAnalysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year.\u00a0I have sorted the activity by months that shows the evolution of files uploaded to the sensors […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-28T20:04:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/malware_1year_activity.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th)\",\"datePublished\":\"2026-05-28T20:04:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/\"},\"wordCount\":353,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/malware_1year_activity.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/\",\"name\":\"Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/malware_1year_activity.png\",\"datePublished\":\"2026-05-28T20:04:03+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/malware_1year_activity.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/malware_1year_activity.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/","og_locale":"en_US","og_type":"article","og_title":"Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th) - Imperative Business Ventures Limited","og_description":"Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year.\u00a0I have sorted the activity by months that shows the evolution of files uploaded to the sensors […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-05-28T20:04:03+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/malware_1year_activity.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th)","datePublished":"2026-05-28T20:04:03+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/"},"wordCount":353,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/malware_1year_activity.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/","name":"Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/malware_1year_activity.png","datePublished":"2026-05-28T20:04:03+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/malware_1year_activity.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/malware_1year_activity.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/analysis-of-a-year-of-files-uploaded-to-dshield-sensors-wed-may-27th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=3388"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3388\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=3388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=3388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=3388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}