PostHole
Compose
Login
Integrating With Cisco XDR at Black Hat Europe
Investigating indicators of compromise (IOCs) requires a unified view of security data. See how we integrated Cisco XDR with third-party tools and open-source models at Black Hat Europe.
February 9, 2026 1 Comment
Security
Integrating With Cisco XDR at Black Hat Europe
2 min read
Jessica (Bair) Oppenheimer, Ryan Maclennan
Cisco XDR is an open platform for integrations, making it a robust solution supporting the Security Operations Center within the Black Hat NOC and empowering our core mission of malware analysis as the Official Security Cloud provider.
Below are the Cisco XDR integrations used at Black Hat Europe, enabling analysts to rapidly investigate Indicators of Compromise (IOCs) with a single search. Our thanks to alphaMountain.ai, Pulsedive and StealthMole for full donating full licenses to Cisco, for use in the Black Hat Europe 2025 NOC.
********
| Cisco Networking and Security | Third Party | |
|---|---|---|
| Splunk Cloud Platform | alphaMountain.ai | |
| Splunk Enterprise Security | AlienVault OTX | |
| Secure Access | CyberCrime Tracker | |
| Splunk Attack Analyzer (custom for BH) | Google Safe Browsing | |
| Meraki System Manager | Pulsedive | |
| Secure Endpoint for iOS | Shodan | |
| Secure Malware Analytics | StealthMole | |
| ThousandEyes (custom for BH) | Threatscore | Cyberprotect |
| Umbrella DNS | Slack | |
| Webex | Urlscan | |
| XDR Analytics | Beta: Palo Alto Networks NGFW | |
| Cisco Telemetry Broker | Beta Corelight NDR |
The XDR Control Center dashboard displayed the status of the integrations over the week.
[BHEU 2025 XDR dashboard]
Below you can see the integrations in XDR at Black Hat Europe, including in production, in beta and in development.
Building Integrations With Corelight
The Black Hat NOC is a place of collaboration and innovation. At Black Hat Europe 2024, Ivan Berlinson connected Cisco XDR with Splunk to integrate Corelight NDR detections. It created a renaissance of advancements that helped protect the NFL Super Bowl, RSAC, Cisco Live and GovWare. Many of our customers asked if we could build an integration directly between Cisco XDR and Corelight, without Splunk as a middleware requirement.
We worked with Corelight on the required APIs and Cisco XDR engineering on custom network detections to send the Zeek formatted detections to the Data Analytics Platform (DAP) in XDR in OCSF (Open Cybersecurity Schema Framework) format, for correlation and incident generation.
In London, Ryan completed the proof-of-concept integration and submitted to Cisco XDR quality assurance for testing and publication as an automation workflow integration using webhooks. The integration is live under XDR Automate – Exchange. Search for ‘Corelight’.
[XDR automate exchange]
The integration can ingest up to 25 Corelight log bundles a minute into the XDR DAP.
[XDR Corelight webhook incidents]
You will be able to view the Detections in the Incident, and filter on Sources.
[XDR Core light webhook incident detection]
To view the details for a Detection, click on the date/time stamp of the row.
[XDR Core light webhook incident detection details]
Strengthening Integration With Palo Alto Networks
At Black Hat Europe, we beta tested the integration built by our engineering team with Palo Alto Networks NGFW logs from Strata Logging Service, transforming them to OCSF format, and ingesting the logs into our data analytics platform. This means the Firewall logs are normalized and can be correlated with other data sets to produce XDR incidents.
Payload format: Array json
Filters:
- Firewall/Threat
- Firewall/File
- Firewall/URL
- Firewall/DNS Security
[Connecting PANW and XDRDAP]
Building Your Own Integration
Check out the XDR Community resources, which you can utilize to build your own integrations with this powerful open framework.
If you are with a security company that would like to build a supported integration, for Cisco verification and publication in our XDR user interface, you can contact the Cisco Security Technical Alliance team via email.
You can read the other blogs from our colleagues at Black Hat Europe.
About Black Hat
Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit the Black Hat website.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Authors
Jessica (Bair) Oppenheimer
Director, Security Operations
Threat Detection & Response
Ryan Maclennan
Security Operations Engineer
Security Business Group Engineering