Integrations make Cisco XDR a powerful solution in the Security Operations Center of the Black Hat NOC, to fulfill our core mission of malware analysis as the Official Security Cloud provider.
Below are the Cisco XDR integrations for Black Hat USA, empowering analysts to investigate Indicators of Compromise (IOC) very quickly, with one search.
Thank you to alphaMountain.ai and Pulsedive full donating full licenses to Cisco, for use in the Black Hat USA 2025 NOC.
The XDR Control Center dashboard displayed the status of the integrations over the week.
Below you can see the active integrations in XDR.
Collaboration With Palo Alto Networks
The Black Hat NOC is a very unique network where competition is thrown out of the windows and collaboration is brought to the forefront. The Black Hat leaders evaluate multiple tools on the market to build and operate the network (or they build their own). The key distinguishing factor is that these tools are chosen with an unlimited budget since the vendors provide licensing for their tools at no cost to Black Hat, along with the staff to run/manage/integrate into the security stack. With the cost factor removed, the decision is simply about what tool best meets their unique needs. The result is an extremely diverse set of tools and vendors that must be operationalized and integrated in the short set up window.
This year, I decided to take a deeper look at Palo Alto Networks XSIAM. Palo Alto Networks is the official Firewall and XDR/SIEM/SOAR provider for the Black Hat NOC. Although I do have some experience with PANW Cortex it was interesting to learn what additional capabilities are included in XSIAM as well as understanding the buzz word of Next Generation SIEM. XSIAM is a next-gen, all-in-one security operations platform, integrating XDR, SIEM, SOAR, UEBA, and threat intel into a single AI-driven system for large-scale SecOps. XSIAM is an AI first platform with LLM summaries for each incident and Microsoft Copilot built in. Copilot can be used for a number use cases including general searching or helping craft a particular XQL query.
Let’s take a look at a PANW XSIAM incident and then see how the same data could be surfaced in Cisco XDR.
Evolving Integration With Palo Alto Networks
Cisco XDR is designed to be a vendor agnostic tool with a goal of working with customer’s existing infrastructure. This means Cisco XDR needs to be able to integrate with 3rd party tools including technologies that may be considered market competition. In the Black Hat NOC, we collaborate with competition because the real enemy is not another vendor but rather the adversary. Cisco XDR has an integration module to integrate with Cortex XDR which offers enrichment capability for both EDR detections and Firewall detections. However, this enrichment is an on demand, point-in-time, query which brings back data relevant to what is being investigated in Cisco XDR. This integration does not produce XDR incidents from PANW.
To improve this integration a custom automation workflow was created to query the PAN-OS API directly for threat logs and then post them as incidents in Cisco XDR. Then the next phase of the integration took advantage of Splunk by sending PANW threat logs to Splunk and then using XDR automation to query Splunk for the PANW threat logs. The automation workflow queries multiple data sets in Splunk and uses a global table variable to keep track of the incidents that have been created and either update or create new incidents. This logic can be complex and bypasses Cisco XDR’s correlation logic.
The next phase of the PANW integration is currently being built by our engineering team and the Black Hat network is the perfect innovation zone to get real world data to build the integration with. Our engineering team is working to take PANW NGFW logs from Strata Logging Service, transform them to OCSF (Open Cybersecurity Schema Framework), and ingest them into our data analytics platform. This means the Firewall logs are normalized and can be correlated with other data sets to produce XDR incidents.
Conclusion
The Black Hat NOC provides a rare environment where interoperability, innovation, and collaboration thrive—regardless of vendor boundaries. Exploring Palo Alto Networks XSIAM in this space revealed the true potential of next-gen SecOps platforms, from automated incident enrichment to seamless integration with supporting tools like Corelight and Slack. At the same time, Cisco XDR’s vendor-agnostic design and evolving integration with PAN data through APIs, Splunk, and OCSF demonstrate the power of adaptable, cross-platform collaboration. As both platforms continue to evolve, the NOC remains a proving ground for pushing the boundaries of what’s possible in modern security operations.
About Black Hat
Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit the Black Hat website.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Share:
