Cisco XDR Powers Black Hat Europe NOC With Beta Integrations

Cisco XDR served as the backbone for Black Hat Europe 2025's Network Operations Center, providing a real-world testbed for third-party security integrations that analysts are now deploying in production. The company just published its integration report detailing how beta partnerships with Corelight and Palo Alto Networks matured into operational deployments capable of processing thousands of security events per minute.

From Beta to Production in London

The Black Hat Europe NOC has historically served as Cisco's integration laboratory—a place where experimental features face the fire of live network traffic before reaching customers. This year's event demonstrated the maturity of Cisco XDR's third-party ecosystem, moving beyond theoretical compatibility into practical deployment at conference scale.

Two integrations that started as beta projects at previous Black Hat events reached production-ready status in London: direct ingestion from Corelight's Network Detection and Response platform, and firewall telemetry from Palo Alto Networks via Strata Logging Service.

Corelight NDR: Bypassing the Splunk Middleware Layer

The Corelight integration represents a significant architectural shift. Prior implementations required Splunk as a middleware layer to normalize Zeek-formatted network detections before XDR could consume them. The new direct integration converts Corelight's output to OCSF (Open Cybersecurity Schema Framework) format on the fly, feeding it straight into XDR's Data Analytics Platform.

During Black Hat Europe, this pipeline processed up to 25 Corelight log bundles per minute—each bundle containing multiple network detections. The system handles detection filtering, source analysis, and correlation with other security signals without human intervention. For organizations already running Corelight for network visibility, the direct XDR integration eliminates a costly middleware dependency while maintaining full detection fidelity.

Palo Alto Firewalls: Expanding Beyond the Cisco Ecosystem

The Palo Alto Networks integration breaks new ground for Cisco's platform. The company initially demonstrated firewall log ingestion at Black Hat USA 2023, but the London deployment showcases a production-ready connector pulling logs from Palo Alto's Strata Logging Service and transforming them into OCSF format. This cross-vendor approach stands in contrast to last month's Cisco AsyncOS zero-day, where security teams had to rely solely on Cisco's own detection capabilities.

The integration supports four critical payload categories: firewall/threat logs, file activity, URL filtering events, and DNS security data. These logs correlate with detections from Cisco Secure Access—the DNS security platform that processed 66 million queries at the same event—and other security tools in the XDR ecosystem to generate unified incidents.

For security teams running mixed vendor environments, this means firewall telemetry from Palo Alto, endpoint data from Cisco Secure Endpoint, and network detections from Corelight can all feed a single incident timeline. That level of cross-vendor correlation has historically required custom SIEM engineering.

Why This Matters for Security Teams

Extended Detection and Response platforms live or die based on the breadth of their data sources. An XDR that only ingests telemetry from its own vendor's products is functionally just a rebranded SIEM. What Cisco demonstrated at Black Hat Europe is the more difficult engineering work: consuming third-party security tools at production scale while maintaining detection accuracy.

The OCSF framework is key to this strategy. By standardizing on an open schema, Cisco XDR can theoretically ingest detections from any security vendor willing to support the format—or any organization willing to write a transformation layer. The Security Technical Alliance partnership program provides official support for validated integrations, but the platform's open API means security teams can build custom connectors when needed.

What Was Tested Beyond Beta

Beyond the two headline integrations, the Black Hat Europe NOC deployed a full stack of Cisco and third-party tools feeding XDR Analytics:

Cisco Security Products:

• Splunk Cloud Platform and Enterprise Security
• Secure Access (formerly Umbrella DNS)
• Secure Endpoint for iOS
• Secure Malware Analytics
• ThousandEyes network monitoring
• Telemetry Broker

Third-Party Threat Intelligence and Tools:

• alphaMountain.ai
• AlienVault OTX
• Shodan
• StealthMole
• Pulsedive
• Threatscore | Cyberprotect
• Slack and Webex for incident collaboration

The conference also served as a proving ground for Cisco's acquisition of Splunk. Enterprise Security Cloud ingested XDR incidents and surfaced executive dashboards tracking threat activity across the event network. For organizations evaluating how Cisco's 2024 Splunk acquisition will impact their security operations workflows, the Black Hat deployment offers a reference architecture.

Practical Integration Engineering

The blog post from Cisco's Jessica Bair Oppenheimer and Ryan Maclennan includes technical implementation details often missing from vendor marketing. The Corelight connector's ability to process 25 bundles per minute isn't just a performance metric—it's a meaningful data point for sizing XDR deployments in environments with high network detection volume.

Similarly, the Palo Alto firewall integration's support for four specific log categories (firewall/threat, file, URL, DNS) tells security architects exactly what telemetry types will correlate with other XDR signals. Knowing that DNS security logs from Palo Alto firewalls will merge with DNS queries captured by Cisco Secure Access helps teams understand what incident context the platform can actually reconstruct.

For teams attending similar security conferences or managing complex multi-vendor environments, the hacker conference infrastructure model provides a realistic stress test. Black Hat networks see attack traffic, misconfigurations, and edge cases that internal lab environments rarely encounter. If integrations survive that environment, they're likely ready for production deployment.

Developer Resources and Custom Integrations

Cisco published community resources for organizations interested in building custom XDR integrations. While the Security Technical Alliance program handles official partnerships with major security vendors, the platform's architecture supports custom connectors via open APIs.

The OCSF schema documentation provides the data format requirements, and Cisco's XDR API reference covers authentication, ingestion endpoints, and query interfaces. Organizations with homegrown security tools or niche vendor products can theoretically achieve the same level of integration demonstrated with Corelight and Palo Alto—assuming they're willing to handle the transformation engineering.

This open approach differentiates Cisco XDR from closed platforms that require vendor-approved integrations for every data source. The tradeoff is engineering complexity: building a reliable OCSF transformation layer requires understanding both the source data format and XDR's schema expectations. For teams with the technical capability, it's a path to full visibility across their entire security stack.