Estafette
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2026-02-09T13:00:34+00:00

Integrating With Cisco XDR at Black Hat Europe

Investigating indicators of compromise (IOCs) requires a unified view of security data. See how we integrated Cisco XDR with third-party tools and open-source models at Black Hat Europe.

---

February 9, 2026 1 Comment

---

[Image: Avatar]

[Image: Avatar]

Security

Integrating With Cisco XDR at Black Hat Europe

2 min read

Jessica (Bair) Oppenheimer, Ryan Maclennan

Cisco XDR is an open platform for integrations, making it a robust solution supporting the Security Operations Center within the Black Hat NOC and empowering our core mission of malware analysis as the Official Security Cloud provider.

Below are the Cisco XDR integrations used at Black Hat Europe, enabling analysts to rapidly investigate Indicators of Compromise (IOCs) with a single search. Our thanks to alphaMountain.ai, Pulsedive and StealthMole for full donating full licenses to Cisco, for use in the Black Hat Europe 2025 NOC.

| Cisco Networking and Security | Third Party
| Splunk Cloud Platform | alphaMountain.ai
| Splunk Enterprise Security | AlienVault OTX
| Secure Access | CyberCrime Tracker
| Splunk Attack Analyzer (custom for BH) | Google Safe Browsing
| Meraki System Manager | Pulsedive
| Secure Endpoint for iOS | Shodan
| Secure Malware Analytics | StealthMole
| ThousandEyes (custom for BH) | Threatscore | Cyberprotect
| Umbrella DNS | Slack
| Webex | Urlscan
| XDR Analytics | Beta: Palo Alto Networks NGFW
| Cisco Telemetry Broker | Beta Corelight NDR

The XDR Control Center dashboard displayed the status of the integrations over the week.

[Image: BHEU 2025 XDR dashboard]

Below you can see the integrations in XDR at Black Hat Europe, including in production, in beta and in development.

[Image: XDR integrations]

Building Integrations With Corelight

The Black Hat NOC is a place of collaboration and innovation. At Black Hat Europe 2024, Ivan Berlinson connected Cisco XDR with Splunk to integrate Corelight NDR detections. It created a renaissance of advancements that helped protect the NFL Super Bowl, RSAC, Cisco Live and GovWare. Many of our customers asked if we could build an integration directly between Cisco XDR and Corelight, without Splunk as a middleware requirement.

We worked with Corelight on the required APIs and Cisco XDR engineering on custom network detections to send the Zeek formatted detections to the Data Analytics Platform (DAP) in XDR in OCSF (Open Cybersecurity Schema Framework) format, for correlation and incident generation.

In London, Ryan completed the proof-of-concept integration and submitted to Cisco XDR quality assurance for testing and publication as an automation workflow integration using webhooks. The integration is live under XDR Automate – Exchange. Search for ‘Corelight’.

[Image: XDR automate exchange]

The integration can ingest up to 25 Corelight log bundles a minute into the XDR DAP.

[Image: XDR Corelight webhook incidents]

You will be able to view the Detections in the Incident, and filter on Sources.

[Image: XDR Core light webhook incident detection]

To view the details for a Detection, click on the date/time stamp of the row.

[Image: XDR Core light webhook incident detection details]

Strengthening Integration With Palo Alto Networks

At Black Hat Europe, we beta tested the integration built by our engineering team with Palo Alto Networks NGFW logs from Strata Logging Service, transforming them to OCSF format, and ingesting the logs into our data analytics platform. This means the Firewall logs are normalized and can be correlated with other data sets to produce XDR incidents.

Payload format: Array json

Filters:

- Firewall/Threat

- Firewall/File

- Firewall/URL

- Firewall/DNS Security

[Image: Connecting PANW and XDRDAP]

Building Your Own Integration

Check out the XDR Community resources, which you can utilize to build your own integrations with this powerful open framework.

If you are with a security company that would like to build a supported integration, for Cisco verification and publication in our XDR user interface, you can contact the Cisco Security Technical Alliance team via email.

You can read the other blogs from our colleagues at Black Hat Europe.

**About Black Hat**

Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit the Black Hat website.

---

We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

Instagram

Authors

[Image: Avatar]

####
Jessica (Bair) Oppenheimer

Director, Security Operations

Threat Detection & Response

[Image: Avatar]

####
Ryan Maclennan

Security Operations Engineer

Security Business Group Engineering

---

[Original source](https://blogs.cisco.com/security/integrating-cisco-xdr-black-hat-europe/)

Reply