From hunting threats to solving complex problems to coding on a couch, adventures in the Black Hat NOC (Network Operations Center) are always interesting. Over the last few months and several shows, I’ve had the privilege of working with one of the other NOC partners, Cisco, to design and test our first integration between Corelight Investigator and Cisco XDR. While we worked on this project virtually for several weeks, the passion for building new things, more caffeine than I care to admit, and a comfy couch brought this special integration together.
The goal of this project was to integrate Corelight’s rich network-based detections and alerts into Cisco XDR’s User Interface (UI) without requiring any middleware, such as a SIEM. Traditionally, data would flow through a SIEM, like Splunk, for example, and then into Cisco XDR, and we knew we could streamline that workflow to alleviate the strain on the SOC. We did this by leveraging Corelight Investigator’s new Detection and Alerts API that now enables Cisco customers to automatically enrich their XDR data with high-fidelity Corelight detections and alerts.
In the example below, there is a Suricata® IDS-based detection. Corelight offers a variety of detection types, such as Suricata, Zeek®, Machine Learning, YARA, etc. All of the detection types are available within this integration.
At the core of this integration is entity-focussed enrichment. Within the Cisco XDR platform, you’ll be able to see Corelight alerts and detections along with the entity information associated with them. If you’re leveraging Cisco XDR to be your “pane of glass”, this is incredibly valuable as you get another high-fidelity source of truth to help you get to the bottom of exactly what an entity on your network is doing.
Naturally, this also means that relevant dashboards and cards will incorporate and highlight the correlated Corelight data. Not only can you see that an IP, for example, has a Corelight alert associated with it, you can also see its relationship with other entities.
At a high level, you need your Corelight Investigator administrator to generate an API key for Cisco XDR to poll Corelight data. The Cisco XDR administrator would then configure the integration.
Great question! Over the next several weeks, we’ll be introducing a follow-on integration between Corelight and Cisco XDR that enables analysts to query Corelight (and other integrated offerings) directly from the Cisco XDR “Investigations” panel. For example, an analyst might submit a query on a suspicious IP address that would request any helpful information related to that IP address from all relevant Cisco XDR integrations. Unlike the integration I’ve laid out above, this integration doesn’t use middleware, but rather a direct integration between Corelight and Cisco XDR. This is very exciting and shows how our integrations with Cisco XDR are helping streamline investigation workflows, enabling our mutual customers to maintain a stronger security posture with more confidence and less effort!
Learn more about the Corelight Investigator integration wtih Cisco XDR.