diff --git a/cowrie/wardenfiler.py b/cowrie/wardenfiler.py
index d8e0d1b3c86fc6d541698958438ded6f5c0df4d4..fc979253b459f6f8521276b1b5ef6ca56b40f9d1 100644
--- a/cowrie/wardenfiler.py
+++ b/cowrie/wardenfiler.py
@@ -198,9 +198,10 @@ class Output(cowrie.core.output.Output):
             )
 
             entry["loggedin"] = False
+            # AID - aggregation ID
+            entry["aid"] = aid = ','.join((entry["src_ip"], entry["dst_ip"]))
             self.sessions[entry["session"]] = entry
             ws = self.win_start or time()
-            aid = ','.join((entry["src_ip"], entry["dst_ip"]))
             cnt = self.attackers.get(aid, 0)
 
             if (time() - ws < self.aggr_win):