Cisco Dwell Amsterdam 2026: XDR + Splunk ES

Constructing on the teachings realized within the Safety Operations Middle (SOC) at main occasions, we challenged ourselves to construct one thing new at Cisco Dwell Amsterdam 2026, a closed-loop integration with Cisco XDR and Splunk Enterprise Safety.

Planning a profitable SOC begins with sturdy collaboration with the Community Operations Middle (NOC). It additionally started with a spotlight, utilizing the Splunk Safety Maturity Methodology (S2M2).

The core missions of the SOC stay:

• Defend: Safeguard the community from threats and assaults, each inside and exterior
• Educate: Inform and have interaction attendees by SOC excursions and weblog content material, and our white paper
• Innovate: Develop and implement new integrations, processes, workflows, and automations

Harnessing the Energy of Splunk Safety

A significant purpose for EMEA 2026 was breaking down the silos between “triage / investigating” and “menace looking / incident response.”

By embedding Splunk Safety Integration Engineers instantly into the SOC, we curated particular workflows that allowed Tier 1 interns and Tier 2 analysts to carry out advanced investigations that have been beforehand the area of Tier 3 responders.

Configurations and different information have been able to go from earlier occasions, together with dashboards in Splunkfrom the improvements for the Nationwide Soccer League Tremendous Bowl LX SOC.

We refined the SOC Supervisor dashboard in Splunk from the expertise on the Tremendous Bowl SOC, displaying the Incidents generated from detections within the safety sources, and the standing of the incidents, together with escalations to Splunk Enterprise Safety (ES).

The Splunk Safety Product Labs staff labored to make the most of the ability of the Cisco XDR correlation engine, to convey Splunk ES Danger index logs as Sources into the XDR Information Analytics Platform. These logs have been correlated with different detections to supply Incidents for Triage and Investigation by Tier 1 /2 SOC analysts.

The combination between Cisco XDR and Splunk ES delivers a seamless expertise for safety operations groups by combining native XDR detections with Splunk’s in depth information backend and customized OCSF detections. Key improvements embody:

• Fast Onboarding: New SOC analysts will be educated on XDR in beneath an hour, together with integration pivot factors with Splunk and Endace packet seize.
• Unified Incident Administration: Detections from each Cisco XDR and Splunk have been correlated inside XDR, permitting analysts to see the supply of detections in incidents, however sustaining a constant person expertise. This reduces the necessity for retraining earlier than effectiveness in a mature SOC.
• Environment friendly Analyst Workflow: Tier 1/2 analysts triaged and investigated incidents in XDR, with the power to pivot to Splunk logs and Endace packet information. When escalation is required, enriched incident information is mechanically despatched to Splunk ES for Tier 3 analysts to proceed investigations in Mission Management.
• Closed-Loop Automation: Incident standing was mechanically up to date in XDR when the case was resolved in Splunk ES, closing the loop and guaranteeing synchronized information.

• Studying & Collaboration: Tier 1/2 analysts had function based mostly entry to Splunk ES through Duo Listing, empowering them to view the Tier 3 investigation notes and findings, and upleveling their expertise.

• Openness & Customization: The combination leverages the open structure of each Cisco XDR and Splunk, supporting customized detections and versatile workflows, as confirmed in high-profile SOC deployments.

This innovation allows safety operations facilities to maximise detection protection, streamline incident response, scale back coaching overhead, and foster analyst progress, by tightly built-in, automated workflows.

The Deployment: SOC in a Field

The SOC was efficiently deployed in simply 12 hours over 1 ½ days. This velocity was not unintentional; it was architectural. We utilized our transportable “SOC in a Field”, a pre-configured {hardware} stack designed to be delivered upfront to the venue, linked to the NOC and instantly started producing actionable telemetry.

Key components enabling this fast setup included:

• Pre-validated Information Paths: Prompt connectivity between the Cisco Dwell NOC, Splunk Enterprise Safety and the Cisco Safety Cloud.
• Battle-Examined Innovation: We built-in superior safety practices developed whereas safeguarding the Black Hat community, acknowledged because the world’s most hostile setting.
• Confirmed Workflows: We drew upon experience and playbooks refined on the Tremendous Bowl LX, RSAC, GovWare and prior Cisco Dwell SOCs.

The SOC Structure: A “System of Techniques”

The Amsterdam SOC was designed to beat particular occasion constraints, similar to the shortcoming to put in endpoint brokers on attendee gadgets (BYOD) and the necessity to detect malware in encrypted site visitors.

The Visibility Layer: The SOC staff labored with the NOC to attach the ‘SOC within the Field’ and Cisco Safe Entry for DNS safety. We obtained a Switched Port Analyzer (SPAN) feed of community site visitors.

The Investigation Layer: We deployed the EndaceProbe packet seize platform to report all community site visitors. This allowed us to pivot from a Splunk alert on to full packet seize (PCAP) to validate investigative hypotheses. Endace additionally generated Zeek logs for Splunk Enterprise Safety (ES), whereas file content material was reconstructed on the wire and streamed to Splunk Assault Analyzer and Cisco Safe Malware Analytics for sandboxing.

The Evaluation & Identification Layer:

• Splunk Cloud and Splunk ES served because the SOC platform, aggregating danger scores and normalizing information into the Frequent Data Mannequin (CIM).
• Cisco XDR acted as investigation visualization device, utilizing AI to verify threats sooner with Prompt Assault Verification, enriched with menace intelligence supplied by Cisco Talosand licenses donated by alphaMountain, Pulsediveand StealthMoletogether with neighborhood sources.

• Duo Listing and Identification Intelligence supplied the identification aircraft, securing entry to our instruments through Single Signal-On and guaranteeing our analysts have been authenticated and licensed inside minutes of becoming a member of the shift.

The Statistics

Statistics are at all times a preferred a part of the SOC Excursions. Beneath are the stats from this 12 months’s occasion.

SOC Findings and Classes Realized

The SOC staff focuses on steady innovation—the “OODA loop” of observing, orienting, deciding, and appearing. We take time to doc our experiences for the edification of the neighborhood.

Try the deep-dive technical blogs under from the engineers who labored contained in the SOC:

Acknowledgements

A heartfelt thanks to the engineers whose experience made the primary Cisco Dwell Amsterdam 2026 SOC an amazing success.

Community Operations Middle Liaisons

• Remco Kamerman, Luke Hebditch, Mark Bremner and Scott Neuman

Cisco Safety and Splunk SOC Workforce

• SOC in a Field: Adi Sankar
• Splunk Safety Integrations: Paul Pelletier and Kenneth Bouchard, with Josh Wilson and Duane Waddle
• Splunk Risk Researchers: Nasreddine Bencherchali and Paul Pang
• Breach Safety Suite: Mark Pleunes, Ibrahim Yusuf, Piotr Jarzynka, Matt Vander Horst, Yannis Steiakogiannakis and Eric Rennie, with Bilal Qamar
• Person Safety Suite: Aaron Woland
• Firewall and Safety Cloud Management: Adam Kilgore and Christopher Grabowski

Endace SOC Workforce

• Co-SOC Chief: Cary Wright Endace Engineering: Owen Gallagher, Sundarram Paravastu and Sam Brockelsby

We’d love to listen to what you suppose! Ask a query and keep linked with Cisco Safety on social media.

Cisco Safety Social Media

LinkedIn
Fb
Instagram