Choose a system or custom agent for your chat.
To use the Agentic Assistant, you first select the agent best suited for the task. Each agent is designed with specific goals and toolsets to address different aspects of security operations.
You can choose from system agents, public agents other users have created, or agents you have personally built and configured.
Within the chat prompt, click the agent icon on the left.
You can hover over each agent in the list to view a brief description of its primary focus.
Select the agent that best suits your current task or investigation.
Select an agent from Slack
Select an agent from Slack by sending a request and tagging your configured bot name in a thread (for example @Your bot name). Cortex Agentic Assistant returns a dropdown menu of available agents to select.
Note
Only public agents are supported via Slack.
System agents
System agents are pre-built, mission-focused virtual personas provided out-of-the-box by Cortex XDR to handle specific security use cases without requiring manual configuration.
System agents come with defined roles and permissions, for example, the Threat Intel agent is pre-configured to enrich indicators, while the Help Center agent is designed specifically to retrieve documentation.
You can access additional system agents by enabling specific modules or licenses. Ensuring you have the relevant licenses active (for example, Cloud Posture or XSIAM Enterprise) will ensure the corresponding agents appear in your list. For instance, the Exposure Management agent helps prioritize risks but explicitly requires the Exposure Management add-on to function.
If a system agent is missing from your chat, it may be disabled or not included in your license. Go to the Agents Hub, where you can view a list of all enabled and disabled agents (accessible via the side panel in the Agentic Assistant menu). An administrator may need to re-enable it to make it visible in your chat again.
Examples of specialized system agents:
Agent Type | Description |
|---|---|
Case Investigation | Accelerate and simplify the analyst's workflow by converting complex data points, case context, and event relationships into clear, actionable insights. It understands the whole structure of a case, automatically highlights what matters most, and offers concise summaries that reduce noise and cognitive load. Beyond interpretation, it provides quick-access actions and guided steps that help analysts progress investigations with confidence and consistency. Its strength comes from its ability to reason across diverse evidence, stitch narrative context, and translate technical signals into meaningful next moves - enabling a smoother, more intuitive investigation experience end to end. |
Email Investigation | Automates the full lifecycle of email-borne threat response, spanning mailbox search, forensic collection, analysis, containment, and incident closure across all major mail platforms and security layers. |
Help Center | Provides answers to questions by referencing product documentation. If further assistance is needed, the agent assists you in opening a support case. |
Network Security | Audits next-gen firewalls for vulnerabilities, expired certificates, outdated software, risky or unused rules, capacity limits, and other misconfigurations. It searches logs for threats and then automates or guides clean-ups and upgrades to keep the network secure. |
Recommended agents
In some cases, the system may suggest you switch agents based on the page you are viewing. For example, if you are viewing a case and have a chat with the Threat Intel agent open, the system will suggest switching to the Case Investigation agent for more relevant results.