Integrations make Cisco XDR a strong answer within the Safety Operations Heart of the Black Hat NOC, to satisfy our core mission of malware evaluation because the Official Safety Cloud supplier.
Beneath are the Cisco XDR integrations for Black Hat USA, empowering analysts to research Indicators of Compromise (IOC) in a short time, with one search.
Thanks to alphaMountain.ai and Pulsedive full donating full licenses to Cisco, to be used within the Black Hat USA 2025 NOC.
The XDR Management Heart dashboard displayed the standing of the integrations over the week.
Beneath you possibly can see the energetic integrations in XDR.
Collaboration With Palo Alto Networks
The Black Hat NOC is a really distinctive community the place competitors is thrown out of the home windows and collaboration is dropped at the forefront. The Black Hat leaders consider a number of instruments available on the market to construct and function the community (or they construct their very own). The important thing distinguishing issue is that these instruments are chosen with a limiteless price range because the distributors present licensing for his or her instruments for free of charge to Black Hat, together with the workers to run/handle/combine into the safety stack. With the price issue eliminated, the choice is solely about what instrument finest meets their distinctive wants. The result’s a particularly numerous set of instruments and distributors that should be operationalized and built-in within the brief arrange window.
This yr, I made a decision to take a deeper have a look at Palo Alto Networks XSIAM. Palo Alto Networks is the official Firewall and XDR/SIEM/SOAR supplier for the Black Hat NOC. Though I do have some expertise with PANW Cortex it was fascinating to study what extra capabilities are included in XSIAM in addition to understanding the excitement phrase of Subsequent Technology SIEM. XSIAM is a next-gen, all-in-one safety operations platform, integrating XDR, SIEM, SOAR, UEBA, and menace intel right into a single AI-driven system for large-scale SecOps. XSIAM is an AI first platform with LLM summaries for every incident and Microsoft Copilot in-built. Copilot can be utilized for a quantity use instances together with common looking or serving to craft a specific XQL question.
Let’s check out a PANW XSIAM incident after which see how the identical information may very well be surfaced in Cisco XDR.
Evolving Integration With Palo Alto Networks
Cisco XDR is designed to be a vendor agnostic instrument with a purpose of working with buyer’s current infrastructure. This implies Cisco XDR wants to have the ability to combine with Third get together instruments together with applied sciences which may be thought of market competitors. Within the Black Hat NOC, we collaborate with competitors as a result of the actual enemy isn’t one other vendor however slightly the adversary. Cisco XDR has an integration module to combine with Cortex XDR which provides enrichment functionality for each EDR detections and Firewall detections. Nevertheless, this enrichment is an on demand, point-in-time, question which brings again information related to what’s being investigated in Cisco XDR. This integration doesn’t produce XDR incidents from PANW.
To enhance this integration a customized automation workflow was created to question the PAN-OS API straight for menace logs after which publish them as incidents in Cisco XDR. Then the subsequent part of the combination took benefit of Splunk by sending PANW menace logs to Splunk after which utilizing XDR automation to question Splunk for the PANW menace logs. The automation workflow queries a number of information units in Splunk and makes use of a worldwide desk variable to maintain observe of the incidents which have been created and both replace or create new incidents. This logic will be complicated and bypasses Cisco XDR’s correlation logic.
The following part of the PANW integration is presently being constructed by our engineering workforce and the Black Hat community is the right innovation zone to get actual world information to construct the combination with. Our engineering workforce is working to take PANW NGFW logs from Strata Logging Service, remodel them to OCSF (Open Cybersecurity Schema Framework), and ingest them into our information analytics platform. This implies the Firewall logs are normalized and will be correlated with different information units to supply XDR incidents.
Conclusion
The Black Hat NOC offers a uncommon setting the place interoperability, innovation, and collaboration thrive—no matter vendor boundaries. Exploring Palo Alto Networks XSIAM on this area revealed the true potential of next-gen SecOps platforms, from automated incident enrichment to seamless integration with supporting instruments like Corelight and Slack. On the identical time, Cisco XDR’s vendor-agnostic design and evolving integration with PAN information by way of APIs, Splunk, and OCSF show the facility of adaptable, cross-platform collaboration. As each platforms proceed to evolve, the NOC stays a proving floor for pushing the boundaries of what’s attainable in trendy safety operations.
About Black Hat
Black Hat is the cybersecurity trade’s most established and in-depth safety occasion sequence. Based in 1997, these annual, multi-day occasions present attendees with the most recent in cybersecurity analysis, improvement, and traits. Pushed by the wants of the group, Black Hat occasions showcase content material straight from the group by way of Briefings shows, Trainings programs, Summits, and extra. Because the occasion sequence the place all profession ranges and educational disciplines convene to collaborate, community, and talk about the cybersecurity subjects that matter most to them, attendees can discover Black Hat occasions in america, Canada, Europe, Center East and Africa, and Asia. For extra info, please go to the Black Hat web site.
We’d love to listen to what you suppose! Ask a query and keep linked with Cisco Safety on social media.
Cisco Safety Social Media
Share: