10 - http-logs
less -S http.log | zeek-cut user_agent | sort | uniq -c | sort -n
wget looks phisy.
cat http.log | zeek-grep Wget | zeek-cut id.orig_h id.resp_h uri user_agent
root@53ef41d5da39:/mnt# cat http.log | zeek-grep Wget | zeek-cut id.orig_h id.resp_h uri user_agent172.31.39.46 13.233.179.35 /PKCampaign/Targets/Forela/Ransomware2_server.zip Wget/1.21.2