{"id":29360,"date":"2026-06-29T16:16:37","date_gmt":"2026-06-29T07:16:37","guid":{"rendered":"https:\/\/aireviewirush.com\/?p=29360"},"modified":"2026-06-29T16:16:37","modified_gmt":"2026-06-29T07:16:37","slug":"uplevelling-black-hat-menace-hunters","status":"publish","type":"post","link":"https:\/\/aireviewirush.com\/?p=29360","title":{"rendered":"Uplevelling Black Hat Menace Hunters"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p>At Black Hat, each new knowledge supply is a trade-off.<\/p>\n<p>Extra telemetry means higher visibility \u2013 but additionally extra\u00a0knowledge\u00a0for risk hunters to sift by.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_53 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\" role=\"button\"><label for=\"item-6a424eb8c85c8\" ><span class=\"\"><span style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input aria-label=\"Toggle\" aria-label=\"item-6a424eb8c85c8\"  type=\"checkbox\" id=\"item-6a424eb8c85c8\"><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/aireviewirush.com\/?p=29360\/#From_SMA_to_SAA_Similar_Want_Completely_different_Downside\" title=\"From SMA to SAA: Similar Want, Completely different Downside\">From SMA to SAA: Similar Want, Completely different Downside<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/aireviewirush.com\/?p=29360\/#The_Turning_Level_Collaboration\" title=\"The\u00a0Turning Level: Collaboration\">The\u00a0Turning Level: Collaboration<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/aireviewirush.com\/?p=29360\/#Constructing_the_Workflow\" title=\"Constructing the Workflow\">Constructing the Workflow<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/aireviewirush.com\/?p=29360\/#Enriching_with_Community_Context_and_lowering_noise\" title=\"Enriching with Community Context\u00a0and lowering noise\u00a0\">Enriching with Community Context\u00a0and lowering noise\u00a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/aireviewirush.com\/?p=29360\/#The_Final_result_Higher_Indicators_for_Hunters\" title=\"The Final result: Higher Indicators for Hunters\u00a0\">The Final result: Higher Indicators for Hunters\u00a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/aireviewirush.com\/?p=29360\/#About_Black_Hat\" title=\"About Black Hat\u00a0\">About Black Hat\u00a0<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-4860e03b88ab019d6b7757b9df434383\" id=\"h-from-sma-to-saa-same-need-different-problem\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"From_SMA_to_SAA_Similar_Want_Completely_different_Downside\"><\/span>From SMA to SAA: Similar Want, Completely different Downside<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Just lately, Splunk Assault Analyzer (SAA)\u00a0outdated\u00a0Safe Malware Analytics (SMA)\u00a0because the official\u00a0malware\u00a0risk evaluation\u00a0platform\u00a0at Black Hat.\u00a0<\/p>\n<p>With SMA, we had a easy and efficient sample:\u00a0<\/p>\n<ul class=\"wp-block-list\">\n<li>Submissions exceeding a rating threshold<\/li>\n<li>Mechanically surfaced to the Menace Hunters\u2019\u00a0incident\u00a0queue\u00a0on Cisco XDR<\/li>\n<\/ul>\n<p>It labored effectively.\u00a0So naturally, we wished the identical end result with SAA.<\/p>\n<p>SAA supplies granular knowledge throughout a number of\u00a0sourcetypes, permitting for vital flexibility in how info is offered. By mapping these knowledge streams collectively, we tailor-made our reporting to ship a complete, cohesive view of our risk panorama.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-905978b1e41e7d76b3da2c07c7e57f63\" id=\"h-the-nbsp-turning-point-collaboration\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"The_Turning_Level_Collaboration\"><\/span>The\u00a0Turning Level: Collaboration<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>That is the place David and Lily stepped in.\u00a0They constructed a question that:<\/p>\n<ol class=\"wp-block-list\">\n<li>Extracts submission metadata (URL, Job ID, engines used)<\/li>\n<li>Makes use of the Job ID to retrieve high-scoring outcomes (\u226585)<\/li>\n<li>Joins and reshapes each datasets right into a single, usable construction<\/li>\n<\/ol>\n<p>This was a transformative shift. By tailoring our configuration to satisfy our particular necessities, we unlocked a brand new degree of visibility. This strategy delivered the deep, actionable insights essential to optimize our workflow.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-dfff7a405e05f30b5208ab8a004c2400\" id=\"h-building-the-workflow\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"Constructing_the_Workflow\"><\/span>Constructing the Workflow<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>With the question prepared, the main focus shifted to automation.<\/p>\n<p>As a substitute of ranging from scratch, we reused current ingestion parts and tailored them for\u00a0this knowledge\u00a0construction.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"610\" height=\"1024\" data-lazy-type=\"image\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/06\/1-BHAsia2026-UBHTH-BuildingTheWorkflow-610x1024.webp\" alt=\"Building the workflow\" class=\"lazy lazy-hidden wp-image-493758\" style=\"width:382px;height:auto\"\/><noscript><img loading=\"lazy\" decoding=\"async\" width=\"610\" height=\"1024\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/06\/1-BHAsia2026-UBHTH-BuildingTheWorkflow-610x1024.webp\" alt=\"Building the workflow\" class=\"wp-image-493758\" style=\"width:382px;height:auto\"\/><\/noscript><\/figure>\n<\/div>\n<p>Then got here an vital choice:\u00a0<strong>Concentrate on what issues\u00a0for detection of threats at Black Hat.<\/strong>\u00a0<\/p>\n<p>SAA\u00a0can settle for any file format and URLs for evaluation which suggests we noticed many protocols getting used, together with:<\/p>\n<p>However solely\u00a0HTTP\u00a0had\u00a0significant quantity and relevance\u00a0for the occasion.<\/p>\n<p>So,\u00a0we lower the remainder.\u00a0POP3\/SMTP would get an opportunity subsequent time round.<\/p>\n<p>This was\u00a0precision\u00a0\u2013\u00a0<strong>prioritizing impression over completeness<\/strong>.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-58e71a9eceb51deb0377e0ef9c74af2e\" id=\"h-enriching-with-network-context-nbsp-and-reducing-noise-nbsp\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"Enriching_with_Community_Context_and_lowering_noise\"><\/span>Enriching with Community Context\u00a0and lowering noise\u00a0<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A file submitted through\u00a0HTTP\u00a0doesn\u2019t exist in isolation \u2013 it has community context.\u00a0So,\u00a0we enriched every submission with:<\/p>\n<ul class=\"wp-block-list\">\n<li>Associated site visitors telemetry<\/li>\n<li>Directionality<\/li>\n<li>Motion context (allowed vs blocked)<\/li>\n<\/ul>\n<p>This turned remoted outcomes into one thing risk hunters might really examine.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"378\" height=\"1024\" data-lazy-type=\"image\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/06\/3-BHAsia2026-UBHTH-EnrichingWithNetworkContext-378x1024.webp\" alt=\"EnrichingWithNetworkContext\" class=\"lazy lazy-hidden wp-image-493763\" style=\"width:238px;height:auto\"\/><noscript><img loading=\"lazy\" decoding=\"async\" width=\"378\" height=\"1024\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/06\/3-BHAsia2026-UBHTH-EnrichingWithNetworkContext-378x1024.webp\" alt=\"EnrichingWithNetworkContext\" class=\"wp-image-493763\" style=\"width:238px;height:auto\"\/><\/noscript><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"378\" height=\"1024\" data-lazy-type=\"image\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/06\/3-BHAsia2026-UBHTH-EnrichingWithNetworkContext-378x1024.webp\" alt=\"EnrichingWithNetworkContext\" class=\"lazy lazy-hidden wp-image-493763\" style=\"width:254px;height:auto\"\/><noscript><img loading=\"lazy\" decoding=\"async\" width=\"378\" height=\"1024\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/06\/3-BHAsia2026-UBHTH-EnrichingWithNetworkContext-378x1024.webp\" alt=\"EnrichingWithNetworkContext\" class=\"wp-image-493763\" style=\"width:254px;height:auto\"\/><\/noscript><\/figure>\n<\/div>\n<p>At this stage, we hit acquainted challenges:\u00a0<\/p>\n<ul class=\"wp-block-list\">\n<li>Timestamp normalization (epoch \u2192 RFC3339)<\/li>\n<li>Motion context extraction (allowed vs blocked)<\/li>\n<li>Site visitors directionality<\/li>\n<\/ul>\n<p>All vital for correct ingestion into XDR.<\/p>\n<p>One difficulty almost derailed the correlation logic.\u00a0Site visitors originating from inner zones was routed by zScaler, leading to:<\/p>\n<ul class=\"wp-block-list\">\n<li>Shared vacation spot IPs<\/li>\n<li>A number of unrelated occasions bundled collectively<\/li>\n<\/ul>\n<p>This\u00a0might\u00a0create\u00a0false correlations\u00a0\u2013\u00a0precisely\u00a0the noise\u00a0we had been making an attempt to keep away from.<\/p>\n<p>The repair?\u00a0A focused exception to filter\u00a0it\u00a0out.<\/p>\n<p>Extremely custom-made\u00a0\u2013\u00a0however efficient.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-07d8e1034fad88276b46d993896c8fd5\" id=\"h-the-outcome-better-signals-for-hunters-nbsp\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"The_Final_result_Higher_Indicators_for_Hunters\"><\/span>The Final result: Higher Indicators for Hunters\u00a0<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The workflow produced a brand new detection stream in Cisco XDR\u00a0\u2013\u00a0powered by SAA submissions, enriched with community context.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"416\" data-lazy-type=\"image\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/06\/4-BHAsia2026-UBHTH-TheOutcome-1024x416.webp\" alt=\"Malicious script detected by mozilla\" class=\"lazy lazy-hidden wp-image-493764\" style=\"width:694px;height:auto\"\/><noscript><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"416\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/06\/4-BHAsia2026-UBHTH-TheOutcome-1024x416.webp\" alt=\"Malicious script detected by mozilla\" class=\"wp-image-493764\" style=\"width:694px;height:auto\"\/><\/noscript><\/figure>\n<\/div>\n<p>At first look, some alerts seemed crucial\u00a0primarily based on their attributes of:\u00a0<\/p>\n<ul class=\"wp-block-list\">\n<li>Excessive scores<\/li>\n<li>A number of inner techniques concerned<\/li>\n<li>Suspicious\u00a0JavaScript obfuscation\u00a0behaviour<\/li>\n<\/ul>\n<p>However investigation advised a special story.\u00a0<\/p>\n<p>A respectable Twitter embed.\u00a0Flagged by heuristics.\u00a0<\/p>\n<p>False constructive.\u00a0And that\u2019s the purpose.\u00a0<\/p>\n<p>With correct context and\u00a0evaluation from\u00a0Assault Storyboard, the group shortly validated and dismissed it.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"752\" data-lazy-type=\"image\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/06\/5-BHAsia2026-UBHTH-TheOutcome-1024x752.webp\" alt=\"CDN Widget\" class=\"lazy lazy-hidden wp-image-493761\" style=\"width:455px;height:auto\"\/><noscript><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"752\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/06\/5-BHAsia2026-UBHTH-TheOutcome-1024x752.webp\" alt=\"CDN Widget\" class=\"wp-image-493761\" style=\"width:455px;height:auto\"\/><\/noscript><\/figure>\n<\/div>\n<p>And that\u2019s the actual win.\u00a0This workflow\u00a0wasn\u2019t about\u00a0including\u00a0one other knowledge supply.\u00a0<\/p>\n<p>It\u00a0was about:<\/p>\n<ul class=\"wp-block-list\">\n<li>Surfacing\u00a0high-risk submissions routinely<\/li>\n<li>Offering\u00a0community context for quicker triage<\/li>\n<li>Serving to\u00a0risk hunters\u00a0<strong>dismiss noise quicker<\/strong><\/li>\n<\/ul>\n<p>This workflow is way from excellent. It would evolve, similar to every little thing else we construct at Black Hat.\u00a0<\/p>\n<p>\u201cIn the long run, the perfect detection isn\u2019t the\u00a0highest scored\u00a0one\u00a0\u2013\u00a0it\u2019s the one you&#8217;ll be able to act on.\u201d\u00a0<\/p>\n<p><a href=\"https:\/\/blogs.cisco.com\/security\/black-hat-asia-2026-a-decade-in-singapore\" target=\"_blank\" rel=\"noopener\">Try the opposite blogs from our group at Black Hat Asia 2026.\u00a0<\/a><\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-a4744c22c3004a1eb4548d712d03d531\" id=\"h-about-black-hat-nbsp\" style=\"font-style:normal;font-weight:400\"><span class=\"ez-toc-section\" id=\"About_Black_Hat\"><\/span>About Black Hat\u00a0<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Black Hat is the cybersecurity trade\u2019s most established and in-depth safety occasion sequence. Based in 1997, these annual, multi-day occasions present attendees with the newest in cybersecurity analysis, improvement, and traits. Pushed by the wants of the neighborhood, Black Hat occasions showcase content material instantly from the neighborhood by Briefings shows, Trainings programs, Summits, and extra. Because the occasion sequence the place all profession ranges and tutorial disciplines convene to collaborate, community, and focus on the cybersecurity matters that matter most to them, attendees can discover Black Hat occasions in america, Canada, Europe, Center East and Africa, and Asia. For extra info, please go to\u00a0<a href=\"http:\/\/www.blackhat.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">www.Black Hat.com<\/a>.<\/p>\n<hr class=\"wp-block-separator has-text-color has-medium-gray-color has-alpha-channel-opacity has-medium-gray-background-color has-background\"\/>\n<p class=\"has-text-align-center\" id=\"block-a1b11bef-8542-478b-95c4-6b43d582001b\"><em>We\u2019d love to listen to what you suppose! Ask a query and keep linked with Cisco Safety on social media.<\/em><\/p>\n<p class=\"has-text-align-center\"><strong><mark class=\"has-inline-color has-cisco-green-color\" style=\"background-color: rgba(0, 0, 0, 0);\">Cisco Safety Social Media<\/mark><\/strong><\/p>\n<p class=\"has-text-align-center\" id=\"block-85b5e58a-7e0a-4b88-a1bd-54a5f658e51f\"><a href=\"https:\/\/www.linkedin.com\/showcase\/cisco-secure\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a><br \/><a href=\"https:\/\/www.facebook.com\/ciscosecure\/\" target=\"_blank\" rel=\"noreferrer noopener\">Fb<\/a><br \/><a href=\"https:\/\/www.instagram.com\/Ciscosecurity\/\" target=\"_blank\" rel=\"noopener\">Instagram<\/a><\/p>\n<\/p><\/div>\n<p><script async defer src=\"https:\/\/platform.instagram.com\/en_US\/embeds.js\"><\/script><br \/>\n<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>At Black Hat, each new knowledge supply is a trade-off. Extra telemetry means higher visibility \u2013 but additionally extra\u00a0knowledge\u00a0for risk hunters to sift by. From SMA to SAA: Similar Want, Completely different Downside Just lately, Splunk Assault Analyzer (SAA)\u00a0outdated\u00a0Safe Malware Analytics (SMA)\u00a0because the official\u00a0malware\u00a0risk evaluation\u00a0platform\u00a0at Black Hat.\u00a0 With SMA, we had a easy and efficient [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":29362,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":["post-29360","post","type-post","status-publish","format-standard","has-post-thumbnail","category-cloud-computing"],"_links":{"self":[{"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/posts\/29360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=29360"}],"version-history":[{"count":1,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/posts\/29360\/revisions"}],"predecessor-version":[{"id":29361,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/posts\/29360\/revisions\/29361"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=\/wp\/v2\/media\/29362"}],"wp:attachment":[{"href":"https:\/\/aireviewirush.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=29360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=29360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aireviewirush.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=29360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}