At Black Hat, each new knowledge supply is a trade-off.
Extra telemetry means higher visibility – but in addition extra knowledge for menace hunters to sift by.
From SMA to SAA: Identical Want, Completely different Drawback
Lately, Splunk Assault Analyzer (SAA) outmoded Safe Malware Analytics (SMA) because the official malware menace evaluation platform at Black Hat.
With SMA, we had a easy and efficient sample:
Submissions exceeding a rating threshold
Routinely surfaced to the Menace Hunters’ incident queue on Cisco XDR
It labored nicely. So naturally, we needed the identical consequence with SAA.
SAA offers granular knowledge throughout a number of sourcetypes, permitting for important flexibility in how data is introduced. By mapping these knowledge streams collectively, we tailor-made our reporting to ship a complete, cohesive view of our menace panorama.
The Turning Level: Collaboration
That is the place David and Lily stepped in. They constructed a question that:
Extracts submission metadata (URL, Job ID, engines used)
Makes use of the Job ID to retrieve high-scoring outcomes (≥85)
Joins and reshapes each datasets right into a single, usable construction
This was a transformative shift. By tailoring our configuration to fulfill our particular necessities, we unlocked a brand new stage of visibility. This method delivered the deep, actionable insights essential to optimize our workflow.
Constructing the Workflow
With the question prepared, the main target shifted to automation.
As a substitute of ranging from scratch, we reused current ingestion parts and tailored them for this knowledge construction.
Then got here an necessary choice: Concentrate on what issues for detection of threats at Black Hat.
SAA can settle for any file format and URLs for evaluation which implies we noticed many protocols getting used, together with:
However solely HTTP had significant quantity and relevance for the occasion.
So, we minimize the remaining. POP3/SMTP would get an opportunity subsequent time round.
This was precision – prioritizing affect over completeness.
Enriching with Community Context and lowering noise
A file submitted by way of HTTP doesn’t exist in isolation – it has community context. So, we enriched every submission with:
Associated site visitors telemetry
Directionality
Motion context (allowed vs blocked)
This turned remoted outcomes into one thing menace hunters might really examine.
At this stage, we hit acquainted challenges:
Timestamp normalization (epoch → RFC3339)
Motion context extraction (allowed vs blocked)
Visitors directionality
All needed for correct ingestion into XDR.
One situation practically derailed the correlation logic. Visitors originating from inside zones was routed by zScaler, leading to:
Shared vacation spot IPs
A number of unrelated occasions bundled collectively
This might create false correlations – precisely the noise we had been making an attempt to keep away from.
The repair? A focused exception to filter it out.
Extremely personalized – however efficient.
The End result: Higher Alerts for Hunters
The workflow produced a brand new detection stream in Cisco XDR – powered by SAA submissions, enriched with community context.
At first look, some alerts seemed essential primarily based on their attributes of:
Excessive scores
A number of inside programs concerned
Suspicious JavaScript obfuscation behaviour
However investigation informed a distinct story.
A authentic Twitter embed. Flagged by heuristics.
False constructive. And that’s the purpose.
With correct context and evaluation from Assault Storyboard, the workforce shortly validated and dismissed it.
And that’s the true win. This workflow wasn’t about including one other knowledge supply.
It was about:
Surfacing high-risk submissions mechanically
Offering community context for sooner triage
Serving to menace hunters dismiss noise sooner
This workflow is way from excellent. It’s going to evolve, identical to every little thing else we construct at Black Hat.
“Ultimately, the very best detection isn’t the highest scored one – it’s the one you’ll be able to act on.”
Take a look at the opposite blogs from our workforce at Black Hat Asia 2026.
About Black Hat
Black Hat is the cybersecurity business’s most established and in-depth safety occasion collection. Based in 1997, these annual, multi-day occasions present attendees with the most recent in cybersecurity analysis, growth, and tendencies. Pushed by the wants of the neighborhood, Black Hat occasions showcase content material immediately from the neighborhood by Briefings shows, Trainings programs, Summits, and extra. Because the occasion collection the place all profession ranges and educational disciplines convene to collaborate, community, and talk about the cybersecurity subjects that matter most to them, attendees can discover Black Hat occasions in america, Canada, Europe, Center East and Africa, and Asia. For extra data, please go to www.Black Hat.com.
We’d love to listen to what you suppose! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
LinkedInFacebookInstagram
