Build new agents.
You can build custom agents in Cortex XDR to execute plans and assist in investigations. Custom agents have the same or fewer permissions as the user who creates them. For example, you might want to create an agent with all of your permissions to use for certain investigations, but also create a read-only agent that provides you with information, but does not execute actions on real-world systems. You can create custom agents that are private or that are shared for all users.
When you build an agent, it should contain all actions that you require for your workflow. Agents are self-contained and cannot communicate with other agents or access actions that are not assigned to the agent.
Note
To build agents in the Agents Hub, you must have view/edit permissions. For more information, see Agentic Assistant role-based access control.
Click on the agent chat icon
in the upper right hand corner, click the side panel icon 
to expand the menu if needed, and then click the Agents Hub menu item.From the Agents tab of the Agents Hub, click Create agent.
Complete the following agent detail fields:
Field
Description
Required
Agent Name
A short description name for the agent. Each agent must have a different name.
Yes
Color
The color for the icon that appears in the agent list.
No
Description
A description of the agent's purpose or area.
Yes
Specific Instructions
Provide the agent with detailed customized instructions. You can include a wide range of directives, from describing the agent's role and preferred terminology to step-by-step processes and structure of the output.
Role: What the agent is supposed to be or act as. Defines its identity and primary function.
Example A: SOC tier 1 analyst. As a tier 1 analyst you are responsible for triaging alerts and concluding if an alert is a true or false positive.
Example B: Incident response analyst. As an incident response analyst you are responsible for investigating and conducting forensics of relevant artifacts related to an incident. You provide conclusions about the incident and TTP's used by the threat actor.
Instructions: The specific rules and behavioral guidelines that tell the agent how to operate and respond.
Example: Follow the NIST framework, provide clear and concise recommendations, use critical thinking when conducting analysis.
Structure: How the agent should format and organize its responses.
Examples of possible formats: JSON, Markdown, Array, enum.
No
Agent access
Choose whether to make the agent a Public Agent. Public agents can be accessed by all users with View/Edit permissions to Interact with Agents. By default, custom agents are only available for the users who created them.
No
Conversation starters
Include up to four prompts that appear under the prompt bar when the user interacts with the agent. Conversation starters help users understand what the agent can do and how to initiate a request.
No
Click Next to proceed to the Access Control page.
Define which roles and actions the agent can access. To save an agent, there must be at least one role or action selected.
Note
If you clear the checkbox for a role, all actions associated with that role are also cleared. The exception is if another role is also selected, which is associated with the same actions.
If you clear the checkbox for an action, all roles associated with that action are cleared. For example, if you select the Investigator role, and Send Mail and Tavily Extract are both actions associated with that role, clearing the check box for Investigator also clears the check box for Send Mail and Tavily Extract. If you then reselect the Send Mail action, the Investigator role is not automatically selected.
Not all actions are associated with a role.
For an agent to be able to run XQL queries, you must add the Cortex - Run XQL Query action. This action is included by default for all system agents.
If needed, register one or more new actions by clicking New Action and following the steps in Manage actions.
Save Agent.