Dataminr IncPalo Alto Networks Security OperationsPalo Alto Networks CortexBlogPalo Alto Cortex XSOARPalo Alto Networks
Blog12 minute read

Automating Third-Party Risk with Dataminr + Cortex XSOAR

The gap between collecting threat feeds and applying real-world threat intelligence to your environment is where most programs fail. Security teams know something happened, but struggle to detect it early, determine relevance, and trigger consistent response actions. Integrating Dataminr's AI-powered real-time threat intelligence with Cortex XSOAR enables your SOC to be ahead of physical and cyber threats correlated to your environment.

In this blog

  1. From legacy static assessments to intelligence-led third-party risk
  2. Who is Dataminr?
  3. Integrating Dataminr with Cortex XSOAR
  4. Real-world scenarios the SOC sees
  5. Turn signals into incidents
  6. What automation enables
  7. Closing the loop on risk
  8. Conclusion

In most organizations, third-party risk breaks down at the same place: between awareness and action. Security teams may hear that a vendor has been breached, named by a ransomware group, or impacted by an outage. This information often arrives through fragmented channels such as email threads, news alerts, Slack/Teams messages, social media, or analyst intuition. The gap isn't detection alone; it's the absence of a repeatable, automated path from signal to response.

 From legacy static assessments to intelligence-led third-party risk

Third-party risk in today's world has outgrown static assessments, annual questionnaires, and after-the-fact reporting. The threats that impact vendors, suppliers, and service providers move in real time, often outside the perimeter, and demand an operational response and not just awareness. What Dataminr and Cortex XSOAR enable together is a shift in how organizations manage that reality. Dataminr provides early, external visibility into risks as they emerge, while Cortex XSOAR ensures those signals are handled with the same rigor, consistency, and accountability as any internal security incident.

By closing the loop from signal to action, third-party risk becomes an intelligence-led, incident-driven operating model. Alerts are no longer just observed; they are triaged, owned, acted on, and documented through repeatable workflows that scale across teams and shifts. This approach reduces uncertainty for analysts, improves coordination between security, risk, and IT, and gives leadership confidence that vendor-related incidents are managed deliberately rather than reactively.

Ultimately, automating third-party risk isn't about responding faster for the sake of speed. 

It's about responding better. 

Better decisions, better documentation, and better alignment to business impact. With Dataminr and Cortex XSOAR, organizations move from knowing something happened to proving they handled it consistently, defensibly, and at the speed today's risk landscape requires.

 Who is Dataminr?

Dataminr delivers AI-powered, real-time event, threat, and risk intelligence that helps security teams detect and understand risk before it becomes an incident. Its AI platform processes more than 45 terabytes of multimodal data each day, across text, images, audio, video, and sensors, from over one million public sources in more than 150 languages. By applying advanced analytics, generative and agentic AI, and multimodal fusion across 55 proprietary large language models, Dataminr filters out noise and focuses attention on the threats that actually matter. This allows organizations to move from reactive response toward a more resilient, preemptive security strategy aligned to today's rapidly evolving threat environment.

An example Dataminr Console

With Dataminr's real-time intelligence, an analyst can create custom lists based on the threats that matter to you most. You can build lists based on companies, topics, geographic areas, and priorities. 

Dataminr assists with answering the question: 'Is something happening to my vendor, to me, or my employees right now?'"

 Integrating Dataminr with Cortex XSOAR

Our goal with Cortex XSOAR is to keep the analyst on the same screen when responding to incidents and use playbooks to guide their hand in making the best decision. One of my favorite talking points with Cortex XSOAR is "have API; will travel," and that's because it's an open platform with the Marketplace acting like an App Store. If an integration partner has a published API, we can quickly bring in their data into our Cortex XSOAR environment. 

Dataminr Pulse's Cortex Marketplace Offering

We can onboard Dataminr as a new integration in minutes by just entering our Client ID and Client Secret provided from the Dataminr Developer Portal.

Onboarding Dataminr into Cortex XSOAR

We can also limit the type of alerts that come inbound to our analysts. We could also adjust the mapper to send regional and physical security alerts to different teams via context data and playbooks in the SOC for their specific responsibilities

Limiting lists and queries into XSOAR incidents

With those basic settings, that's how quickly we can onboard Dataminr's threat intelligence into Cortex XSOAR for our SOC analysts. 

 Real-world scenarios the SOC sees

Third-party risk rarely announces itself through formal notifications or clean disclosures. More often, it shows up as breaking news, social media chatter, forum posts, or regional events that hint at a larger issue. Dataminr is built to surface these early signals across cyber, regional, and physical domains, while Cortex XSOAR ensures those signals are handled consistently once they reach the SOC.

 Cyber third-party risk scenarios

  • Ransomware group claims breach of major SaaS provider: Dataminr can surface early mentions of a vendor being named by a ransomware group or discussed on illicit forums often before official confirmation. When ingested into XSOAR, this  intelligence becomes a third-party cyber incident with assigned ownership and severity, allowing the SOC to assess exposure, notify stakeholders, and document actions instead of debating credibility in chat.
  • Cloud provider experiencing widespread service disruption: Dataminr can alert on outages or disruption signals tied to third-party infrastructure. XSOAR enables the SOC to route the incident to IT and business continuity teams, track impact, and coordinate response in a single workflow.
  • Active exploitation of vulnerability impacting multiple vendors: Dataminr can highlight emerging exploitation activity affecting third-party products or services. XSOAR helps normalize this into a structured incident so vulnerability management and risk teams can prioritize response based on real-world threat activity and not just CVSS scores.

 Regional and geopolitical risk scenarios

  • Civil unrest disrupts operations in a key supplier region: Dataminr can detect early reports of civil disruptions and geopolitical incidents in regions where vendors operate. Once in XSOAR, the SOC can correlate the event to known vendor dependencies and coordinate with risk, IT, or business teams before service impact occurs.
  • Geopolitical conflict raises concerns about regional data centers: Dataminr can surface geopolitical developments that may indirectly affect third-party operations. XSOAR allows the SOC to treat this as a trackable incident, capturing decisions, escalation paths, and mitigation steps rather than relying on informal awareness.
  • Sanctions or regulatory actions announced against companies in a supply chain: Dataminr can surface breaking regulatory or sanctions-related news tied to vendors. XSOAR ensures these alerts are routed appropriately and documented as part of third-party risk response.

 Physical and cyber-physical risk scenarios

  • Power outage impacts vendor data center operations: Dataminr can surface early reports of infrastructure outages affecting third-party facilities. In XSOAR, this becomes a cyber-physical incident that can be coordinated with IT operations, security, and business continuity teams.
  • Natural disaster disrupts supplier logistics or facilities:  Dataminr  can provide intelligence on natural disasters or physical disruptions tied to vendor locations. XSOAR helps the SOC track impact, escalate appropriately, and maintain situational awareness without losing context.
  • Physical incident escalates into digital service degradation: Dataminr's cyber-physical coverage highlights how physical threats affect digital assets. XSOAR ensures these events are handled with the same rigor as traditional cyber incidents playbooks, ownership, and documentation included.

Once these external signals are detected, our next challenge is turning them into something the SOC can act on.

 Turn signals into incidents

Detection does not create action. Closing the loop requires that external intelligence be normalized into something operational. This is where Cortex XSOAR Incidents come in. These Dataminr alerts are now transformed into the same incident framework the SOC already trusts: incident types, severity, ownership, and playbooks.

Dataminr Alert transformed into an XSOAR Incident

 What automation enables

Transforming  Dataminr intelligence into a Cortex XSOAR incident is where visibility turns into accountability, but it's not where the work stops. This is the point where automation begins to matter. Once a third-party signal is normalized into an incident, XSOAR provides the structure needed to consistently answer the questions that typically slow teams down during vendor-related events: 

  • Who owns this? 
  • How serious is it? 
  • What do we do next?

Instead of relying on analyst intuition or ad-hoc coordination, playbooks guide triage, enrichment, and escalation so decisions are made the same way every time, regardless of who is on shift.

For the SOC, this means third-party incidents no longer live in a gray area between "interesting" and "actionable." Dataminr provides early, external context, and XSOAR applies incident types, severity, and routing logic that align to business impact. Analysts are guided through a repeatable flow without leaving the platform:

  • Confirm relevance
  • Assess exposure
  • Notify the right stakeholders

This removes guesswork, reduces noise, and prevents vendor events from stalling while teams debate next steps in email or chat.

An example playbook provided by Dataminr

From a risk and leadership perspective, automation is what turns awareness into defensible response. Third-party risk often fails not because organizations didn't know about an event, but because actions were inconsistent, undocumented, or delayed. With XSOAR, every decision, enrichment step, and escalation is captured as part of the incident lifecycle. This creates a clear audit trail showing when the organization became aware of a vendor issue, how it was assessed, and what actions were taken supporting due diligence and post-incident review without relying on "after-the-fact" reconstruction.

Most importantly, automation introduces guardrails. Closing the loop does not mean blindly responding to every external signal. Playbooks allow teams to control where automation stops and human judgment begins. Whether that's requiring approval before escalation, validating confidence in Dataminr intelligence, or routing incidents to different teams based on geography or vendor criticality. The result is a balanced approach where speed and consistency improve without sacrificing control.

This is what "closing the loop" looks like in practice: Dataminr detects risk as it forms outside the perimeter, and Cortex XSOAR ensures that intelligence is handled with the same discipline as any internal security incident. Third-party risk moves from informal awareness to an operationalized response model repeatable, auditable, and aligned to how modern SOCs operate.

 Closing the loop on risk

Moving signal to action is where Dataminr and Cortex XSOAR deliver value together with Dataminr providing early, external awareness of third-party risk, and XSOAR providing the orchestration layer that turns that awareness into consistent, auditable action. This combination addresses different concerns across security, risk, and technology leadership, while operating as a single system.

  • CISO: Defensibility and confidence. Dataminr surfaces early warning signals about vendor breaches, ransomware disclosures, and emerging risks affecting third parties, often before formal notification. Cortex XSOAR then ensures those signals are handled through standardized incidents, ownership, and documented response workflows. This allows CISOs to demonstrate due diligence, show that third-party risk is actively managed, beyond just monitored, and confidently answer board-level questions about how vendor incidents are detected, assessed, and addressed.
  • SOC Director: Operational consistency at scale. Dataminr brings real-time third-party intelligence directly into the SOC's workflow instead of forcing analysts to chase alerts across tools. Cortex XSOAR normalizes those alerts into incidents that trigger playbooks, assign ownership, and guide response. The result is fewer ad-hoc decisions, reduced analyst thrash, and predictable outcomes regardless of who is on shift when a vendor incident breaks.
  • Security Analyst: Reduces noise and uncertainty. Dataminr provides context-rich alerts focused on what matters, while XSOAR presents that intelligence in a familiar incident layout with clear next steps. Analysts no longer need to decide whether a third-party alert is "just interesting" or "actionable." The platform provides structure, enrichment, and guided response, allowing analysts to focus on decision-making rather than manual coordination.
  • Risk Management: Identification and treatment. Dataminr enables continuous visibility into threats affecting vendors and service providers, while Cortex XSOAR operationalizes that intelligence through documented response workflows. Risk teams gain timely engagement, preserved evidence, and consistent reporting that transforms third-party risk from periodic assessments into an intelligence-led, operational discipline.
  • CIO: Resilience and business continuity. Dataminr detects disruptions, outages, and cyber-physical events impacting critical vendors and infrastructure, while XSOAR ensures those signals are routed and acted on quickly within existing operational workflows. This alignment enables faster coordination between security and IT teams, minimizes business impact, and supports informed decision-making when vendor incidents threaten availability or service delivery.
  • Vulnerability Management: Connects external threat intelligence to real-world prioritization. Dataminr highlights emerging vulnerabilities and exploitation activity affecting third parties, while Cortex XSOAR incorporates that intelligence into structured incidents that can drive prioritization, compensating controls, or vendor engagement. This ensures vulnerability efforts focus on active risk, not just static scoring that aligns remediation decisions with what attackers are exploiting now.

Closing the loop looks different depending on role, but the underlying pattern remains the same. Across all personas, the pattern is the same: 

  • Dataminr detects risk early, outside the perimeter.
  • Cortex XSOAR turns that intelligence into action inside the organization.

Closing the loop ensures that third-party risk is not just seen but handled consistently, documented defensibly, and aligned to business impact.

 Conclusion

Third-party risk is no longer a periodic assessment or a checkbox exercise. It's a real-time operational challenge. Vendors, suppliers, and service providers are increasingly where risk first appears, often outside the visibility of traditional SOC security tooling and long before formal notification occurs. As shown, the challenge is not a lack of information, but the lack of a consistent way to turn early signals into coordinated, defensible action.

By combining Dataminr and Cortex XSOAR, organizations establish a practical operating model for third-party risk. Dataminr delivers early, external awareness across cyber, regional, and physical domains, while Cortex XSOAR ensures that intelligence is handled with the same rigor as any internal security incident. Alerts become incidents, incidents follow playbooks, and playbooks enforce consistency, ownership, and documentation. The result is a SOC that is no longer reacting to headlines but responding to risk as it emerges.

Most importantly, automating third-party risk is not about responding faster for the sake of speed. It's about responding better. Better decisions, clearer accountability, and stronger alignment to business impact. With Dataminr and Cortex XSOAR working together, organizations move from knowing something happened to proving how they handled it consistently, repeatably, and at scale.

In the next blog, we'll build on this foundation and shift focus to another critical question: 

How do you identify the vulnerabilities and exploits that matter and prioritize the response accordingly? 

We'll explore how external threat intelligence and SOAR workflows can help security teams cut through vulnerability noise, understand active exploitation, and drive remediation decisions based on real-world risk rather than scores and lists.

Technologies