Click HERE to learn more about classes Guy is teaching for SANS

Analysis of a Year of Files Uploaded to DShield Sensors

Published: 2026-05-27. Last Updated: 2026-05-28 19:41:55 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year. I have sorted the activity by months that shows the evolution of files uploaded to the sensors each month. The activity peaked during the winter months (Dec 2025 - Feb 2026) and started decreasing in March 2026 for each sensor.

ES|QL Query by Sensor

FROM cowrie* 
| WHERE threat.indicator.provider == "virustotal"
| WHERE related.hash IS NOT NULL
| WHERE threat.indicator.file.type IS NOT NULL
| WHERE threat.software.name IS NOT NULL
| SORT @timestamp DESC
| STATS Total=COUNT(related.hash) BY FileType=threat.indicator.file.type, agent.name=BUCKET(@timestamp, 50, ?_tstart, ?_tend)

Past Year of Files Uploaded to Dshield Sensors

This example displays the activity by file type (8) for a one-year period. The file type uploaded or downloaded to the sensor are ELF, Shell script, Powershell, HTML, Text, unknown, DOS batch file and JavaScript.

ES|QL Activity by File Type

FROM cowrie* 
| WHERE threat.indicator.provider == "virustotal"
| WHERE related.hash IS NOT NULL
| WHERE threat.indicator.file.type IS NOT NULL
| WHERE threat.software.name IS NOT NULL
| WHERE  threat.indicator.name IS NOT NULL
| SORT @timestamp DESC
| STATS Total=COUNT(related.hash) BY agent.name, threat.indicator.name=BUCKET(@timestamp, 50, ?_tstart, ?_tend)

To monitor the type of files uploaded or downloaded to the sensor, using the cowrie_vt.sh [3] Python Jesse's script [4], it provides a daily list of hash files that are stored on the sensor and can be monitored within the DShield SIEM [2].

[1] https://isc.sans.edu/tools/honeypot/
[2] https://github.com/bruneaug/DShield-SIEM
[3] https://github.com/bruneaug/DShield-Sensor/blob/main/sensor_scripts/cowrie_vt.sh
[4] https://raw.githubusercontent.com/jslagrew/cowrieprocessor/main/cowrie_malware_enrichment.py

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: DShield sensor DShield SIEM Malware Analysis Statistics Virustotal
0 comment(s)
Click HERE to learn more about classes Guy is teaching for SANS

Comments

Login here to join the discussion.


Top of page
Diary Archives