Release Notes for Cisco XDR 2.56

Release Date: December 17, 2025

New Features and Updates

Note: Only sections with new customer-facing features or updates in this release are listed below.

Incidents

Feature	Description	Help Topic
Help update	Updated the Incidents topic with a new screenshot to align with the UI.	Incidents

Automate

Feature	Description	Help Topic
Google SecOps integration	Two Google SecOps targets are now automatically created in Automate when you configure the Google SecOps integration on the Integrations page.	Targets Created From Integrations
Help updates	The following updates have been made to the Help: Updated the Custom Security Event Workflow section in the Workflow Event topic with more information on the Custom OCSF Event Source integration that is automatically added after you create a Custom Security Event workflow. Updated the Webhooks topic with information on the expiration email reminders sent prior and after the configured expiration date. Added new OVA file information to the Configure and Deploy the Virtual Appliance section in the Remote Setup and Deployment topic.	Workflow Intent Webhooks Remote Setup and Deployment

Feature

Description

Help Topic

Google SecOps integration

Two Google SecOps targets are now automatically created in Automate when you configure the Google SecOps integration on the Integrations page.

Targets Created From Integrations

Help updates

The following updates have been made to the Help:

Updated the Custom Security Event Workflow section in the Workflow Event topic with more information on the Custom OCSF Event Source integration that is automatically added after you create a Custom Security Event workflow.
Updated the Webhooks topic with information on the expiration email reminders sent prior and after the configured expiration date.
Added new OVA file information to the Configure and Deploy the Virtual Appliance section in the Remote Setup and Deployment topic.

Workflow Intent

Webhooks

Remote Setup and Deployment

Assets

Feature	Description	Help Topic
Meraki Network Clients support	Meraki Network Clients are now supported on the Devices page, and the Sources page will display separate cards for Meraki System Manager and Meraki Network Client devices. Existing customers do not need to update their Cisco Meraki integration, as the integration module will automatically ingest Meraki Network Clients data.	Devices Sources

Feature

Description

Help Topic

Meraki Network Clients support

Meraki Network Clients are now supported on the Devices page, and the Sources page will display separate cards for Meraki System Manager and Meraki Network Client devices. Existing customers do not need to update their Cisco Meraki integration, as the integration module will automatically ingest Meraki Network Clients data.

Devices

Sources

Client Management

Feature	Description	Help Topic
Help updates	Added the Minimum Cisco XDR Licensing Tier Required column to the Operating System and Architecture Support table in the Create Deployment topic.	Create Deployment

Integrations

Feature	Description	Help Topic
Oracle Cloud Infrastructure integration added to Integrations page	The new Oracle Cloud Infrastructure integration has been added to the Third-Party tab on the Integrations page. Oracle Cloud Infrastructure (OCI) is a suite of cloud services that enables organizations to build, deploy, and manage a variety of applications and workloads. As part of its security architecture, OCI includes virtual firewalls that control network traffic as it passes through your Virtual Cloud Networks (VCNs). Traffic that is either accepted or rejected by these firewalls is recorded in VCN Flow Logs. These logs are managed through the OCI Logging service, where they can be viewed, searched, and exported. Using the OCI Connector Hub, Flow Logs are delivered to an OCI Object Storage. Enable the OCI integration to ingest VCN Flow Logs directly from OCI Object Storage and leverage them as network telemetry to generate security findings within the XDR platform.	Cisco and Third-Party Integrations and Supported Capabilities Oracle Cloud Infrastructure Integration
Splunk Cloud integration update	Microsoft Azure Cloud is now available as an option in the Hosting Platform drop-down list when you configure the Splunk Cloud integration on the Integrations page.	—
Google SecOps integration update	The Google SecOps integration now supports the Security Operation Center (SOC) Automation capability.	Cisco and Third-Party Integrations and Supported Capabilities Google SecOps Integration

Feature

Description

Help Topic

Oracle Cloud Infrastructure integration added to Integrations page

The new Oracle Cloud Infrastructure integration has been added to the Third-Party tab on the Integrations page. Oracle Cloud Infrastructure (OCI) is a suite of cloud services that enables organizations to build, deploy, and manage a variety of applications and workloads. As part of its security architecture, OCI includes virtual firewalls that control network traffic as it passes through your Virtual Cloud Networks (VCNs). Traffic that is either accepted or rejected by these firewalls is recorded in VCN Flow Logs. These logs are managed through the OCI Logging service, where they can be viewed, searched, and exported. Using the OCI Connector Hub, Flow Logs are delivered to an OCI Object Storage.

Enable the OCI integration to ingest VCN Flow Logs directly from OCI Object Storage and leverage them as network telemetry to generate security findings within the XDR platform.

Cisco and Third-Party Integrations and Supported Capabilities

Oracle Cloud Infrastructure Integration

Splunk Cloud integration update

Microsoft Azure Cloud is now available as an option in the Hosting Platform drop-down list when you configure the Splunk Cloud integration on the Integrations page.

—

Google SecOps integration update

The Google SecOps integration now supports the Security Operation Center (SOC) Automation capability.

Cisco and Third-Party Integrations and Supported Capabilities

Google SecOps Integration

XDR Forensics

Feature	Description	Help Topic
Timeline	The Timeline feature has been added to the XDR Forensics Investigation Hub. Use the Timeline to run high-performance attribute-based searches, and view event visualization and additional filters for reporting and collaboration.	Timeline
Enhanced role management for Global Admins	Global Admins in XDR Forensics can now update specific privileges for user roles, enabling the creation of highly customized roles within their XDR Forensics organization. Global Admins may disable features such as remote shell access, forensic evidence acquisition, and other XDR Forensics capabilities which will prevent users from using those capabilities in Cisco XDR. Currently, Cisco XDR does not display an error message when a user attempts to access a disabled capability. See Cisco XDR Known Issues for more information.	User Roles
Evidence collection expansion	Evidence collection on macOS now includes SSH, Launchd, crash logs, apple system logs, and more.	macOS Evidence List
Global search	Updated the XDR Forensics Global Search feature to fix the event-subscription error that prevented use of the search bar.	Global Search
Help updates	The XDR Forensics Knowledge Base has been updated to include detailed information on each type of supported evidence collected by acquisition profiles for Windows and macOS.	Supported Evidence

Previous Release Notes

To view the Release Notes for previous releases, see Previous Release Notes for Cisco XDR.