To make our threat hunters' lives richer with more context from ours and our partners' tools, we brought in Splunk Enterprise Security Cloud to the Black Hat Europe 2024 and Black Hat Asia 2025 events to ingest detections from Cisco XDR, Secure Malware Analytics, Umbrella, ThousandEyes, Endace Probe, Corelight OpenNDR and Palo Alto Networks NGFW/XSIAM and visualize them into functional dashboards for executive reporting.

The team works to bring the innovation from Black Hat to Splunk and XDR users, and published the new XDR Automate Templates for Splunk Cloud and Splunk Enterprise to Create XDR Incident.
Templates exist for: Corelight (Notice and Suricata), Endace, Cisco Secure Firewall (Intrusion and Security Intelligence), Palo Alto Firewall (Intrusion), Zscaler ZIA, Meraki MX, Cisco SNA, Sophos EPP, Symantec EPP, ThousandEyes Alerts.

In Cisco XDR Automate Exchange, search for "Splunk," and select either Cloud or Enterprise, as appropriate to your architecture.

Fig. 1: Cisco XDR Automate Exchange

You can then install the templates, just as we did at Black Hat.

Fig. 2: Installing the Splunk Enterprise template in XDR

The ingested data for each integrated platform was deposited into their respective indexes. That made data searches for our threat hunters cleaner. Searching for data is where Splunk shines! To showcase all of that, key metrics from this dataset were converted into various dashboards in Splunk Dashboard Studio. The team used the SOC dashboard from the RSAC 2025 SOC, Black Hat Asia and Cisco Live San Diego as the foundation, with continuous improvements.

1. XDR Incidents

SOC Manager visualizing XDR Incidents, Mean Time to Response and samples submitted for malware analysis.

Fig. 3: XDR incidents, visualized in the SOC Manager

2. DNS

Health of Domain Name Service, blocking any security threats.

Fig. 4: Health of DNS, visualized

3. Network Intrusion

Security events and observed attacks from Cisco Secure Firewall, Corelight Open NDR and Palo Alto Networks Firewall.

Fig. 5: Network intrusion security events

4. Network Metrics

Health of the network and connected devices from Cisco Secure Firewall, Palo Alto Network Firewall and ThousandEyes.

Fig. 6: Health of network and connected devices

5. Splunk Attack Analyzer

Splunk Attack Analyzer files analyzed, as submitted by Corelight Open NDR.

Fig. 7: Splunk Attack Analyzer files analyzed

Conclusions

With our mission at Black Hat defined as a 'SOC within a NOC,' the SOC/NOC Manager dashboards were designed to unify networking and security reporting. This integration delivers significant power and insight, and we plan to enhance it further in upcoming Black Hat events. The dashboards will gain additional functionality and broaden their role as primary consoles for our threat hunters, as well as serve as key reporting displays on the large screens within the NOC. Moreover, by continuously visualizing and updating critical metrics, the dashboard widgets proactively alert the SOC team to any issues with integrations or components of the network and security infrastructure.

This approach strengthens situational awareness and operational efficiency for the SOC team within the NOC environment.

We look forward to more advancements for Black Hat Europe 2025, where Ivan Berlinson will again be onsite to drive innovation.

About Black Hat

Black Hat is the cybersecurity industry's most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit the Black Hat website.

---

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X