← Back ◉ Threat Intelligence May 28, 2026

Analysis of a Year of Files Uploaded to DShield Sensors, (Wed, May 27th)

SANS ISC Archived May 28, 2026 ✓ Full text saved

Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year. I have sorted the activity by months that shows the evolution of files uploaded to the sensors each month. The activity peaked during the winter months (Dec 2025 - Feb 2026) and started decreasing in March 2026 for each sensor.

Full text archived locally

✦ AI Summary · Claude Sonnet

Analysis of a Year of Files Uploaded to DShield Sensors Published: 2026-05-27. Last Updated: 2026-05-28 19:41:55 UTC by Guy Bruneau (Version: 1) 0 comment(s) Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year. I have sorted the activity by months that shows the evolution of files uploaded to the sensors each month. The activity peaked during the winter months (Dec 2025 - Feb 2026) and started decreasing in March 2026 for each sensor. ES|QL Query by Sensor FROM cowrie* | WHERE threat.indicator.provider == "virustotal" | WHERE related.hash IS NOT NULL | WHERE threat.indicator.file.type IS NOT NULL | WHERE threat.software.name IS NOT NULL | SORT @timestamp DESC | STATS Total=COUNT(related.hash) BY FileType=threat.indicator.file.type, agent.name=BUCKET(@timestamp, 50, ?_tstart, ?_tend) Past Year of Files Uploaded to Dshield Sensors This example displays the activity by file type (8) for a one-year period. The file type uploaded or downloaded to the sensor are ELF, Shell script, Powershell, HTML, Text, unknown, DOS batch file and JavaScript. ES|QL Activity by File Type FROM cowrie* | WHERE threat.indicator.provider == "virustotal" | WHERE related.hash IS NOT NULL | WHERE threat.indicator.file.type IS NOT NULL | WHERE threat.software.name IS NOT NULL | WHERE threat.indicator.name IS NOT NULL | SORT @timestamp DESC | STATS Total=COUNT(related.hash) BY agent.name, threat.indicator.name=BUCKET(@timestamp, 50, ?_tstart, ?_tend) To monitor the type of files uploaded or downloaded to the sensor, using the cowrie_vt.sh [3] Python Jesse's script [4], it provides a daily list of hash files that are stored on the sensor and can be monitored within the DShield SIEM [2]. [1] https://isc.sans.edu/tools/honeypot/ [2] https://github.com/bruneaug/DShield-SIEM [3] https://github.com/bruneaug/DShield-Sensor/blob/main/sensor_scripts/cowrie_vt.sh [4] https://raw.githubusercontent.com/jslagrew/cowrieprocessor/main/cowrie_malware_enrichment.py ----------- Guy Bruneau IPSS Inc. My GitHub Page Twitter: GuyBruneau gbruneau at isc dot sans dot edu Keywords: DShield sensor DShield SIEM Malware Analysis Statistics Virustotal 0 comment(s)

💬 Team Notes