At Black Hat, every new data source is a trade-off.
More telemetry means better visibility – but also more data for threat hunters to sift through.
From SMA to SAA: Same Need, Different Problem
Recently, Splunk Attack Analyzer (SAA) superseded Secure Malware Analytics (SMA) as the official malware threat analysis platform at Black Hat.
With SMA, we had a simple and effective pattern:
- Submissions exceeding a score threshold
- Automatically surfaced to the Threat Hunters’ incident queue on Cisco XDR
It worked well. So naturally, we wanted the same outcome with SAA.
SAA provides granular data across multiple sourcetypes, allowing for significant flexibility in how information is presented. By mapping these data streams together, we tailored our reporting to deliver a comprehensive, cohesive view of our threat landscape.
The Turning Point: Collaboration
This is where David and Lily stepped in. They built a query that:
- Extracts submission metadata (URL, Job ID, engines used)
- Uses the Job ID to retrieve high-scoring results (≥85)
- Joins and reshapes both datasets into a single, usable structure
This was a transformative shift. By tailoring our configuration to meet our specific requirements, we unlocked a new level of visibility. This approach delivered the deep, actionable insights necessary to optimize our workflow.
Building the Workflow
With the query ready, the focus shifted to automation.
Instead of starting from scratch, we reused existing ingestion components and adapted them for this data structure.
Then came an important decision: Focus on what matters for detection of threats at Black Hat.
SAA can accept any file format and URLs for analysis which means we saw many protocols being used, including:
- HTTP
- FTP
- POP3/SMTP
But only HTTP had meaningful volume and relevance for the event.
So, we cut the rest. POP3/SMTP would get a chance next time around.
This was precision – prioritizing impact over completeness.
Enriching with Network Context and reducing noise
A file submitted via HTTP doesn’t exist in isolation – it has network context. So, we enriched each submission with:
- Related traffic telemetry
- Directionality
- Action context (allowed vs blocked)
This turned isolated results into something threat hunters could actually investigate.
At this stage, we hit familiar challenges:
- Timestamp normalization (epoch → RFC3339)
- Action context extraction (allowed vs blocked)
- Traffic directionality
All necessary for proper ingestion into XDR.
One issue nearly derailed the correlation logic. Traffic originating from internal zones was routed through zScaler, resulting in:
- Shared destination IPs
- Multiple unrelated events bundled together
This could create false correlations – exactly the noise we were trying to avoid.
The fix? A targeted exception to filter it out.
Highly customized – but effective.
The Outcome: Better Signals for Hunters
The workflow produced a new detection stream in Cisco XDR – powered by SAA submissions, enriched with network context.
At first glance, some alerts looked critical based on their attributes of:
- High scores
- Multiple internal systems involved
- Suspicious JavaScript obfuscation behaviour
But investigation told a different story.
A legitimate Twitter embed. Flagged by heuristics.
False positive. And that’s the point.
With proper context and analysis from Attack Storyboard, the team quickly validated and dismissed it.
And that’s the real win. This workflow wasn’t about adding another data source.
It was about:
- Surfacing high-risk submissions automatically
- Providing network context for faster triage
- Helping threat hunters dismiss noise faster
This workflow is far from perfect. It will evolve, just like everything else we build at Black Hat.
“In the end, the best detection isn’t the highest scored one – it’s the one you can act on.”
Check out the other blogs from our team at Black Hat Asia 2026.
About Black Hat
Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit www.Black Hat.com.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
