Cisco Reside Amsterdam 2026: XDR + Splunk ES

Constructing on the teachings discovered within the Safety Operations Middle (SOC) at main occasions, we challenged ourselves to construct one thing new at Cisco Reside Amsterdam 2026, a closed-loop integration with Cisco XDR and Splunk Enterprise Safety.

Planning a profitable SOC begins with sturdy collaboration with the Community Operations Middle (NOC). It additionally started with a spotlight, utilizing the Splunk Safety Maturity Methodology (S2M2).

The core missions of the SOC stay:

• Defend: Safeguard the community from threats and assaults, each inner and exterior
• Educate: Inform and have interaction attendees by means of SOC excursions and weblog content material, and our white paper
• Innovate: Develop and implement new integrations, processes, workflows, and automations

Harnessing the Energy of Splunk Safety

A serious purpose for EMEA 2026 was breaking down the silos between “triage / investigating” and “risk looking / incident response.”

By embedding Splunk Safety Integration Engineers immediately into the SOC, we curated particular workflows that allowed Tier 1 interns and Tier 2 analysts to carry out complicated investigations that have been beforehand the area of Tier 3 responders.

Configurations and different knowledge have been able to go from earlier occasions, together with dashboards in Splunk, from the improvements for the Nationwide Soccer League Tremendous Bowl LX SOC.

We refined the SOC Supervisor dashboard in Splunk from the expertise on the Tremendous Bowl SOC, exhibiting the Incidents generated from detections within the safety sources, and the standing of the incidents, together with escalations to Splunk Enterprise Safety (ES).

The Splunk Safety Product Labs workforce labored to make the most of the facility of the Cisco XDR correlation engine, to carry Splunk ES Danger index logs as Sources into the XDR Knowledge Analytics Platform. These logs have been correlated with different detections to provide Incidents for Triage and Investigation by Tier 1 /2 SOC analysts.

The combination between Cisco XDR and Splunk ES delivers a seamless expertise for safety operations groups by combining native XDR detections with Splunk’s intensive knowledge backend and customized OCSF detections. Key improvements embrace:

• Speedy Onboarding: New SOC analysts will be skilled on XDR in below an hour, together with integration pivot factors with Splunk and Endace packet seize.
• Unified Incident Administration: Detections from each Cisco XDR and Splunk have been correlated inside XDR, permitting analysts to see the supply of detections in incidents, however sustaining a constant person expertise. This reduces the necessity for retraining earlier than effectiveness in a mature SOC.
• Environment friendly Analyst Workflow: Tier 1/2 analysts triaged and investigated incidents in XDR, with the flexibility to pivot to Splunk logs and Endace packet knowledge. When escalation is required, enriched incident knowledge is robotically despatched to Splunk ES for Tier 3 analysts to proceed investigations in Mission Management.
• Closed-Loop Automation: Incident standing was robotically up to date in XDR when the case was resolved in Splunk ES, closing the loop and making certain synchronized information.

• Studying & Collaboration: Tier 1/2 analysts had position based mostly entry to Splunk ES by way of Duo Listing, empowering them to view the Tier 3 investigation notes and findings, and upleveling their expertise.

• Openness & Customization: The combination leverages the open structure of each Cisco XDR and Splunk, supporting customized detections and versatile workflows, as confirmed in high-profile SOC deployments.

This innovation permits safety operations facilities to maximise detection protection, streamline incident response, cut back coaching overhead, and foster analyst development, by means of tightly built-in, automated workflows.

The Deployment: SOC in a Field

The SOC was efficiently deployed in simply 12 hours over 1 ½ days. This pace was not unintentional; it was architectural. We utilized our transportable “SOC in a Field”, a pre-configured {hardware} stack designed to be delivered prematurely to the venue, linked to the NOC and instantly started producing actionable telemetry.

Key elements enabling this speedy setup included:

• Pre-validated Knowledge Paths: Prompt connectivity between the Cisco Reside NOC, Splunk Enterprise Safety and the Cisco Safety Cloud.
• Battle-Examined Innovation: We built-in superior safety practices developed whereas safeguarding the Black Hat community, acknowledged because the world’s most hostile setting.
• Confirmed Workflows: We drew upon experience and playbooks refined on the Tremendous Bowl LX, RSAC, GovWare and prior Cisco Reside SOCs.

The SOC Structure: A “System of Programs”

The Amsterdam SOC was designed to beat particular occasion constraints, similar to the shortcoming to put in endpoint brokers on attendee gadgets (BYOD) and the necessity to detect malware in encrypted site visitors.

The Visibility Layer: The SOC workforce labored with the NOC to attach the ‘SOC within the Field’ and Cisco Safe Entry for DNS safety. We acquired a Switched Port Analyzer (SPAN) feed of community site visitors.

The Investigation Layer: We deployed the EndaceProbe packet seize platform to report all community site visitors. This allowed us to pivot from a Splunk alert on to full packet seize (PCAP) to validate investigative hypotheses. Endace additionally generated Zeek logs for Splunk Enterprise Safety (ES), whereas file content material was reconstructed on the wire and streamed to Splunk Assault Analyzer and Cisco Safe Malware Analytics for sandboxing.

The Evaluation & Identification Layer:

• Splunk Cloud and Splunk ES served because the SOC platform, aggregating threat scores and normalizing knowledge into the Widespread Data Mannequin (CIM).
• Cisco XDR acted as investigation visualization instrument, utilizing AI to verify threats sooner with Prompt Assault Verification, enriched with risk intelligence offered by Cisco Talos, and licenses donated by alphaMountain, Pulsedive, and StealthMole, together with neighborhood sources.

• Duo Listing and Identification Intelligence offered the id aircraft, securing entry to our instruments by way of Single Signal-On and making certain our analysts have been authenticated and licensed inside minutes of becoming a member of the shift.

The Statistics

Statistics are at all times a well-liked a part of the SOC Excursions. Beneath are the stats from this 12 months’s occasion.

SOC Findings and Classes Discovered

The SOC workforce focuses on steady innovation—the “OODA loop” of observing, orienting, deciding, and performing. We take time to doc our experiences for the edification of the neighborhood.

Try the deep-dive technical blogs under from the engineers who labored contained in the SOC:

Acknowledgements

A heartfelt thanks to the engineers whose experience made the primary Cisco Reside Amsterdam 2026 SOC an amazing success.

Community Operations Middle Liaisons

• Remco Kamerman, Luke Hebditch, Mark Bremner and Scott Neuman

Cisco Safety and Splunk SOC Group

• SOC in a Field: Adi Sankar
• Splunk Safety Integrations: Paul Pelletier and Kenneth Bouchard, with Josh Wilson and Duane Waddle
• Splunk Risk Researchers: Nasreddine Bencherchali and Paul Pang
• Breach Safety Suite: Mark Pleunes, Ibrahim Yusuf, Piotr Jarzynka, Matt Vander Horst, Yannis Steiakogiannakis and Eric Rennie, with Bilal Qamar
• Consumer Safety Suite: Aaron Woland
• Firewall and Safety Cloud Management: Adam Kilgore and Christopher Grabowski

Endace SOC Group

• Co-SOC Chief: Cary Wright Endace Engineering: Owen Gallagher, Sundarram Paravastu and Sam Brockelsby

We’d love to listen to what you suppose! Ask a query and keep linked with Cisco Safety on social media.

Cisco Safety Social Media

LinkedIn
Fb
Instagram