Packing More Power Into Cisco XDR’s Integration Toolkit

The Swiss Army knife is an iconic multi-tool that originated in the late 19th century; predecessor to the popular multitools of today. The need for a versatile tool arose when the Swiss Army required a compact, portable solution for their soldiers, who needed to perform various tasks while in the field. The first model, introduced in 1891, featured a blade, reamer, can opener, and screwdriver. This innovative design became a staple for Swiss soldiers, and the multifunctionality made it extremely popular not only among civilians who valued its convenience and adaptability for everyday tasks and outdoor activities.

Over time, the Swiss Army knife evolved to include more tools and features, becoming a symbol of craftsmanship and ingenuity. Subsequent versions added items like scissors, tweezers, and saws. The development of new models was driven by practical requirements and innovations, and this approach allowed Victorinox to maintain the knife's reputation for versatility and reliability while adapting to the changing demands of users. The number of tools one could have in a Swiss Army Knife became a selling point, and a matter of some competition among outdoors enthusiasts, to see who could put the most tools - and the most useful tools- inside this compact, portable, convenient framework.

The Value of Versatility

The Swiss Army knife and Cisco XDR share a theme of versatility and integration. Just as the Swiss Army knife combines multiple tools into a single, compact device to address a range of needs, Cisco XDR integrates various cybersecurity functionalities into a unified platform. The tools within a Swiss Army knife, such as its blades, can opener, and screwdriver, each useful for specific tasks, are akin to the integrations within Cisco XDR, which include firewalls, EDR products, email security products, and many more types of security tools, which can each be used for threat detection, response automation, and analytics. Both serve the purpose of equipping users with comprehensive solutions to tackle diverse challenges, whether in the context of everyday tasks or complex cybersecurity scenarios.

Just as Victorinox would add new tools into the familiar Swiss Army Knife, we add new integrations and capabilities into Cisco XDR on a regular basis, several every quarter. In this blog we will briefly go over the additional integrations made available in Cisco XDR in the first half of 2025.

Synergy in Action

Cisco XDR's open integration ecosystem, built on interoperability and collaboration, enables seamless connection with a wide array of security tools and platforms, giving organizations the flexibility to tailor solutions to their specific needs and maximize existing investments. It is structured into three models: Managed, Verified, and Community, each offering different levels of integration and support. Managed integrations are fully supported and maintained by Cisco for high reliability. Verified integrations are developed with vetted partners and rigorously tested for compatibility and performance. Community integrations invite user and partner contributions to foster shared innovation. This approach delivers tangible outcomes such as enhanced threat detection and faster response through consolidated visibility, greater confidence in operational stability from robust support, and a continuously evolving security landscape that adapts to emerging threats, empowering customers to build comprehensive, effective, and future-ready security postures.

Deploying New Tools to Solve More Problems

So, what have we been working on during the first half of 2025? I'm glad you asked. We'll start with the Cisco products for which we've added integrations.

Cisco Identity Intelligence - This provides the transport mechanism for user intelligence and context from all the products (Cisco and third party) that already have Cisco Identity Intelligence Integrations. XDR's Asset Insights function is still the brains of the operation, and the Identity Intelligence-influenced Identity Intelligence is now included in Cisco XDR Advantage and Premier as a convenient way to funnel all that critical user insight into your investigations, incident detections, and response actions.

The Cisco Identity Intelligence integration provides correlation between the affected user identity and the endpoint detected for a given incident while also summarizing security impact.

Cisco Secure Access - Along with Cisco SD-WAN, this is the flagship Cisco SASE offering. In this integration, Cisco XDR will ingest Secure Access detections for automated triage, correlation, and incident detection. Additionally, Secure Access observations and intelligence will be included in XDR investigations, and users get response actions powered by Secure Access for use from the pivot menu and in guided Incident Response operations.

Cisco Splunk Enterprise - By popular demand (and as per the original plan) we have extended our Splunk support to the on-premise version. This integration supports the same three primary outcomes as the integration with Splunk Cloud:

• A Splunk Enterprise target in Cisco XDR Automation for custom automated workflows
• XDR investigate support across four CIM models
• Cisco XDR Automation support to export incident and other data to Splunk Enterprise

Note that this integration, like its Cloud counterpart, is with Splunk "core," and does not require additional Splunk products such as Enterprise Security, SOAR, or Attack Analyzer.

Building Bridges, Not Walls: The Power of Interoperability

In the first half of 2025 we also focused on initiating and/or improving our integrations with Google products.

Google Chromebooks - Google's lightweight notebooks, designed primary as a client device for SaaS applications and popular in education, manufacturing, and other specific industries, can now be tracked and identified as assets in XDR Asset Insights, making it much easier to identify, triage, and respond to incidents that have targeted those devices.

Cisco XDR is a Chrome Enterprise Recommended solution. This program was created to help enterprises find technologies that improve working on the web and in the cloud. From optimizing with ChromeOS to integrating with Chrome browser, enterprises can count on Chrome Enterprise Recommended partner solutions to support their workforces, wherever they work. Learn more about Chrome Enterprise Recommended solutions.

Google Cloud Platform - Cisco XDR ingests Google Cloud Platform (GCP) Virtual Private Cloud flow logs into our Data Analytics Platform for analysis, correlation, and triage. This update to the existing integration provides two upgrades:

• GCP cloud assets are now tracked and catalogued in XDR Asset Insights
• The controls for the GCP integration are now brought into the Cisco XDR Integration framework

XDR Incident derived from Google Cloud Platform flow logs, showing affected device and related identifiers

Google Security Operations (SecOps) - Cisco XDR has for some time had an integration with Google Chronicle. Google has since wrapped Chronicle up into their new SecOps product offering, and as a first step towards expanding our existing integration to meet the new capabilities of this exciting new product, we have renamed the module and updated the description and other relevant updates. Stay tuned for additional Google SecOps functionality.

We also extended our coverage for two popular Microsoft security products beyond their Commercial Cloud versions, offering support for them in Microsoft's Government Community Cloud (GCC).

Microsoft Government Community Cloud (GCC) - This is the "parent" module, wherein you configure the access required for Defender products in GCC. Once configured, you then enable one or both of the following within that module:

• Microsoft Defender fr Endpoint GCC
• Microsoft Defender for Office 365 GCC

Each of these offers the same XDR outcomes as their commercial cloud equivalents.

Relevance or Obsolescence? The Choice Is Yours

It is crucial for practitioners to stay current with the latest integrations added to Cisco XDR. Keeping up to date maximizes the value of existing security investments, enhances detection and response capabilities, and helps maintain robust protection against sophisticated threats.

We provide several tools and resources to help customers stay informed about new XDR integrations. One key resource is Cisco XDR Connect, a user-friendly resource that makes it simple to search, browse, and view details of all available Cisco XDR integrations and automation content. This includes integration capabilities, installation steps, and compatible automation workflows. Throughout the descriptions above, I have linked each integration to its corresponding XDR Connect page.

Additionally, Cisco regularly updates its release notes, blogs, and documentation, providing ongoing announcements and guidance to help customers leverage the full power of Cisco XDR's growing ecosystem.

Stay Open and Agile to Move Fast

Cisco XDR emphasizes an open integration ecosystem because it empowers organizations to fully leverage their existing security tools and data sources, regardless of vendor. Cisco XDR's open and documented APIs allow customers and partners to build their own integrations, fostering a vibrant ecosystem that supports vendor diversity and best-of-breed security strategies. This approach avoids vendor lock-in and meets security practitioners where they are, maximizing their investments. Additionally, Cisco has a program for Verified integrations developed by trusted partners, ensuring quality and reliability.

This open approach enhances security team agility by enabling the use of the best tools and access to comprehensive information, which increases efficiency, accelerates threat detection and response, and reduces dwell time. These are all measurable, real-world improvements to the security capabilities of any XDR customer, and if your XDR does not embrace this philosophy, you should ask them why not. We intend to stay committed to solving the problems our customers trust us - and pay us - to solve, and you can look forward to an even more open, broad, and robust integration architecture in future Cisco XDR updates.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X