Friday, July 17, 2026

Uplevelling Black Hat Menace Hunters

At Black Hat, each new knowledge supply is a trade-off.

Extra telemetry means higher visibility – but additionally extra knowledge for menace hunters to sift by.

Just lately, Splunk Assault Analyzer (SAA) outmoded Safe Malware Analytics (SMA) because the official malware menace evaluation platform at Black Hat.

With SMA, we had a easy and efficient sample:

  • Submissions exceeding a rating threshold
  • Robotically surfaced to the Menace Hunters’ incident queue on Cisco XDR

It labored effectively. So naturally, we needed the identical final result with SAA.

SAA supplies granular knowledge throughout a number of sourcetypes, permitting for vital flexibility in how data is offered. By mapping these knowledge streams collectively, we tailor-made our reporting to ship a complete, cohesive view of our menace panorama.

That is the place David and Lily stepped in. They constructed a question that:

  1. Extracts submission metadata (URL, Job ID, engines used)
  2. Makes use of the Job ID to retrieve high-scoring outcomes (≥85)
  3. Joins and reshapes each datasets right into a single, usable construction

This was a transformative shift. By tailoring our configuration to satisfy our particular necessities, we unlocked a brand new degree of visibility. This method delivered the deep, actionable insights essential to optimize our workflow.

With the question prepared, the main focus shifted to automation.

As an alternative of ranging from scratch, we reused current ingestion elements and tailored them for this knowledge construction.

Building the workflow

Then got here an vital resolution: Concentrate on what issues for detection of threats at Black Hat.

SAA can settle for any file format and URLs for evaluation which implies we noticed many protocols getting used, together with:

However solely HTTP had significant quantity and relevance for the occasion.

So, we minimize the remaining. POP3/SMTP would get an opportunity subsequent time round.

This was precision – prioritizing impression over completeness.

A file submitted through HTTP doesn’t exist in isolation – it has community context. So, we enriched every submission with:

  • Associated visitors telemetry
  • Directionality
  • Motion context (allowed vs blocked)

This turned remoted outcomes into one thing menace hunters may truly examine.

EnrichingWithNetworkContextEnrichingWithNetworkContext
EnrichingWithNetworkContextEnrichingWithNetworkContext

At this stage, we hit acquainted challenges:

  • Timestamp normalization (epoch → RFC3339)
  • Motion context extraction (allowed vs blocked)
  • Visitors directionality

All needed for correct ingestion into XDR.

One subject almost derailed the correlation logic. Visitors originating from inner zones was routed by zScaler, leading to:

  • Shared vacation spot IPs
  • A number of unrelated occasions bundled collectively

This may create false correlations – precisely the noise we have been making an attempt to keep away from.

The repair? A focused exception to filter it out.

Extremely custom-made – however efficient.

The workflow produced a brand new detection stream in Cisco XDR – powered by SAA submissions, enriched with community context.

Malicious script detected by mozillaMalicious script detected by mozilla

At first look, some alerts seemed vital based mostly on their attributes of:

  • Excessive scores
  • A number of inner methods concerned
  • Suspicious JavaScript obfuscation behaviour

However investigation informed a unique story.

A authentic Twitter embed. Flagged by heuristics.

False optimistic. And that’s the purpose.

With correct context and evaluation from Assault Storyboard, the group shortly validated and dismissed it.

CDN WidgetCDN Widget

And that’s the actual win. This workflow wasn’t about including one other knowledge supply.

It was about:

  • Surfacing high-risk submissions routinely
  • Offering community context for sooner triage
  • Serving to menace hunters dismiss noise sooner

This workflow is much from good. It is going to evolve, similar to every thing else we construct at Black Hat.

“In the long run, the very best detection isn’t the highest scored one – it’s the one you may act on.”

Take a look at the opposite blogs from our group at Black Hat Asia 2026.

Black Hat is the cybersecurity business’s most established and in-depth safety occasion sequence. Based in 1997, these annual, multi-day occasions present attendees with the most recent in cybersecurity analysis, improvement, and developments. Pushed by the wants of the group, Black Hat occasions showcase content material immediately from the group by Briefings shows, Trainings programs, Summits, and extra. Because the occasion sequence the place all profession ranges and educational disciplines convene to collaborate, community, and focus on the cybersecurity subjects that matter most to them, attendees can discover Black Hat occasions in america, Canada, Europe, Center East and Africa, and Asia. For extra data, please go to www.Black Hat.com.


We’d love to listen to what you suppose! Ask a query and keep related with Cisco Safety on social media.

Cisco Safety Social Media

LinkedIn
Fb
Instagram

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles