惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

量子位
云风的 BLOG
云风的 BLOG
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Hacker News
The Hacker News
Martin Fowler
Martin Fowler
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
U
Unit 42
F
Full Disclosure
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recorded Future
Recorded Future
Security Archives - TechRepublic
Security Archives - TechRepublic
阮一峰的网络日志
阮一峰的网络日志
T
Threatpost
P
Privacy International News Feed
GbyAI
GbyAI
Stack Overflow Blog
Stack Overflow Blog
MongoDB | Blog
MongoDB | Blog
I
Intezer
Recent Announcements
Recent Announcements
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Privacy & Cybersecurity Law Blog
A
Arctic Wolf
博客园 - 聂微东
博客园 - 叶小钗
Cisco Talos Blog
Cisco Talos Blog
H
Help Net Security
S
Schneier on Security
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Exploit Database - CXSecurity.com
T
Tor Project blog
月光博客
月光博客
NISL@THU
NISL@THU
A
About on SuperTechFans
Spread Privacy
Spread Privacy
Blog — PlanetScale
Blog — PlanetScale
D
DataBreaches.Net
雷峰网
雷峰网
C
CXSECURITY Database RSS Feed - CXSecurity.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园 - 【当耐特】
G
Google Developers Blog
W
WeLiveSecurity
P
Palo Alto Networks Blog
The Last Watchdog
The Last Watchdog
K
Kaspersky official blog
博客园 - 司徒正美
L
LINUX DO - 热门话题
小众软件
小众软件

Security @ Cisco Blogs

We third-party tested our firewall built for AI-scale. The test tools hit their limit first. SharpHound Recon Attack - How AI enhanced the threat hunt Machine Speed, Human Judgement: How AI Changed the SOC in 2026 Elevating Expertise in the SOC Educate at Event Speed: Cisco Live Security Operations Center What Working the Cisco Live SOC Taught Me About AI, Detection, and Response Cable to Cloud - A Product Engineer's Journey Through the Cisco Live AMER 2026 SOC The Experience Dividend: How Better Digital Experience Protects Revenue, Trust, and Growth AIM: Building an Agentic Tier-2 SOC Analyst at Cisco Live AMER 2026 Building the Agentic SOC at Cisco Live Americas 2026 Ten Years in the SOC at RSAC: What We Learned in 2026 Making Workflow Runs Explain Themselves: AI-Powered Run Summaries in Cisco XDR Automate Independent Testing Confirms Secure Email Threat Defense’s Email Security Strength Defenseclaw for On-Prem AI SOC Workflow at Black Hat Asia Cisco Secure Access with MCP Infrastructure at Black Hat Asia 2026 The Essence of Black Hat – Collaboration with Partners Black Hat Asia 2026: A Decade in Singapore Black Hat Asia 2026: Threat Hunters’ Corner Unveiling the Power of Integration: XDR, Splunk, Corelight, Arista and Palo Alto Networks in Action at Black Hat Asia Security in the Post-Mythos Era Cisco SASE with Meraki: Get in the Fast Lane to SASE Extending Zero Trust Across the Agentic AI Workflow Strengthening the Foundation: A Predictable, Customer focused Response to AI-Accelerated Vulnerability Discovery Quantum Resilience Needs a Common Language. Here’s Where to Start. Security at Cisco Live: Going Shields Up for the Agentic Era Identity Elevated: A New Unified Identity Experience in Cisco Cloud Control Security Needs a New Operating Model Cisco Secure Access and Microsoft Purview Integration for Simplified Data Protection Cisco Secure Access and Island Browser Enable Zero Trust Everywhere Finding what lives between the alerts: Announcing Cisco Talos Threat Hunting From Log Flood to Threat Signal: Cisco and Splunk Bring Context to Modern Defense Cisco Secure Access and Microsoft Edge for Business Integration Why Network Segmentation Projects Fail: Four Patterns Cisco’s Risk-Based Vulnerability Disclosure in the Age of AI Enhancing Cisco Secure Email Gateway: Safer Clicks and Cleaner Files AI-generated reporting: Lessons learned from Cisco Talos Incident Response Inside the SOC: AI-powered DNS defense against ransomware Security Insights: A Threat-First View for the Platform That Enforces Access From Strategy to Architecture: How Cisco is Building a Quantum-Safe Future AI-Ready, Simpler, and More Secure WAN: Cisco SD-WAN Innovations Designing for What’s Next: Securing AI-Scale Infrastructure Without Compromise Preparing for Post-Quantum Cryptography: The Secure Firewall Roadmap Mobile World Congress 2026: AI-powered Network Security Powering MWC Barcelona – Building a Unified SOC and NOC with Splunk in Record Time AI-powered Network Security at the Mobile World Congress 2026 SNOC Inside the Mobile World Congress 2026 SOC: Detecting Shadow Traffic with Firepower 6100 Data Optimization in Security: A Splunk Architect’s Perspective Inside the Talos 2025 Year in Review: A discussion on what the data means for defenders Zero Trust for Agentic AI: Safeguarding your Digital Workforce The Agent Trust gap: What Our Research Reveals About Agentic AI Security Meet Your Incident Responders
Uplevelling Black Hat Threat Hunters
Aditya Raghavan · 2026-06-23 · via Security @ Cisco Blogs

At Black Hat, every new data source is a trade-off.

More telemetry means better visibility – but also more data for threat hunters to sift through.

From SMA to SAA: Same Need, Different Problem

Recently, Splunk Attack Analyzer (SAA) superseded Secure Malware Analytics (SMA) as the official malware threat analysis platform at Black Hat. 

With SMA, we had a simple and effective pattern: 

  • Submissions exceeding a score threshold
  • Automatically surfaced to the Threat Hunters’ incident queue on Cisco XDR

It worked well. So naturally, we wanted the same outcome with SAA.

SAA provides granular data across multiple sourcetypes, allowing for significant flexibility in how information is presented. By mapping these data streams together, we tailored our reporting to deliver a comprehensive, cohesive view of our threat landscape.

The Turning Point: Collaboration

This is where David and Lily stepped in. They built a query that:

  1. Extracts submission metadata (URL, Job ID, engines used)
  2. Uses the Job ID to retrieve high-scoring results (≥85)
  3. Joins and reshapes both datasets into a single, usable structure

This was a transformative shift. By tailoring our configuration to meet our specific requirements, we unlocked a new level of visibility. This approach delivered the deep, actionable insights necessary to optimize our workflow.

Building the Workflow

With the query ready, the focus shifted to automation.

Instead of starting from scratch, we reused existing ingestion components and adapted them for this data structure.

Building the workflow

Then came an important decision: Focus on what matters for detection of threats at Black Hat. 

SAA can accept any file format and URLs for analysis which means we saw many protocols being used, including:

  • HTTP 
  • FTP 
  • POP3/SMTP

But only HTTP had meaningful volume and relevance for the event.

So, we cut the rest. POP3/SMTP would get a chance next time around.

This was precision – prioritizing impact over completeness.

Enriching with Network Context and reducing noise 

A file submitted via HTTP doesn’t exist in isolation – it has network context. So, we enriched each submission with:

  • Related traffic telemetry
  • Directionality
  • Action context (allowed vs blocked)

This turned isolated results into something threat hunters could actually investigate.

EnrichingWithNetworkContext
EnrichingWithNetworkContext

At this stage, we hit familiar challenges: 

  • Timestamp normalization (epoch → RFC3339)
  • Action context extraction (allowed vs blocked)
  • Traffic directionality

All necessary for proper ingestion into XDR.

One issue nearly derailed the correlation logic. Traffic originating from internal zones was routed through zScaler, resulting in:

  • Shared destination IPs
  • Multiple unrelated events bundled together

This could create false correlations – exactly the noise we were trying to avoid.

The fix? A targeted exception to filter it out.

Highly customized – but effective.

The Outcome: Better Signals for Hunters 

The workflow produced a new detection stream in Cisco XDR – powered by SAA submissions, enriched with network context.

Malicious script detected by mozilla

At first glance, some alerts looked critical based on their attributes of: 

  • High scores
  • Multiple internal systems involved
  • Suspicious JavaScript obfuscation behaviour

But investigation told a different story. 

A legitimate Twitter embed. Flagged by heuristics. 

False positive. And that’s the point. 

With proper context and analysis from Attack Storyboard, the team quickly validated and dismissed it.

CDN Widget

And that’s the real win. This workflow wasn’t about adding another data source. 

It was about:

  • Surfacing high-risk submissions automatically
  • Providing network context for faster triage
  • Helping threat hunters dismiss noise faster

This workflow is far from perfect. It will evolve, just like everything else we build at Black Hat. 

“In the end, the best detection isn’t the highest scored one – it’s the one you can act on.” 

Check out the other blogs from our team at Black Hat Asia 2026. 

About Black Hat 

Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit www.Black Hat.com.


We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram