Use Cortex Agentic Assistant chat in an investigation - Learn how to use the Agentic Assistant chat. - Administrator Guide - Cortex XDR - Cortex

Use Cortex Agentic Assistant chat in an investigation - Learn how to use the Agentic Assistant chat. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-11

Note

The Cortex Agentic Assistant is currently available in limited regions. For more information see Cortex Agentic Assistant If your tenant is not within one of those regions, you have access to the Cortex Assistant.Cortex Agentic AssistantCortex Assistant

To enable the Cortex Agentic Assistant, go to Settings → Configurations → General → Server Settings → Agentic Assistant.

The chat leverages your personal context (such as your name, email, and roles), the agent’s description, available actions, and conversation context to enable highly informed and personalized interactions. You can manage multiple chats simultaneously and easily switch between the agents you have access to. Before acting, the agent generates a plan, verifying each step while executing the sequence of actions that fulfill your request.

Accessing and exiting the Agentic Assistant chat is designed to be quick and seamless, allowing you to jump into your investigations or step away with ease.

Access the chat

To access the chat, you must have the correct permissions. For more information, see Agentic Assistant role-based access control.

Exit the chat

To close the chat window, click anywhere outside the chat window's boundaries or in the side menu click Agentic Assistant.

Choose an agent

Before you dive into your investigation, select the most relevant AI agent for the job. Each agent is designed with specific goals and functions to help you address different aspects of security operations.

Within the chat prompt, click the agent icon; a list of available agents appears. As you hover over each agent, a brief description pops up explaining what that agent does and its primary focus. Select the agent that best suits your current task or investigation.

You can choose from system agents, public agents other users have created, or agents you have personally built and configured.

System agents are pre-built, mission-focused virtual personas provided out-of-the-box by Cortex XDR to handle specific security use cases without requiring manual configuration. You can enable or disable system agents, but you cannot edit their core instructions or delete them.

Unlike custom agents which can be private, system agents are available to all users in the tenant, though the specific actions they can execute depend on you user permissions. System agents come with defined roles and permissions, for example, the Threat Intel agent is pre-configured to enrich indicators, while the Help Center agent is designed specifically to retrieve documentation.

You can access additional system agents by enabling specific modules or licenses. Ensuring you have the relevant licenses active (for example, Cloud Posture or XSIAM Enterprise) will ensure the corresponding agents appear in your list. For instance, the Exposure Management agent helps prioritize risks but explicitly requires the Exposure Management add-on to function.

If a system agent is missing from your chat, it may be disabled or not included in your license. Go to the Agents Hub, where you can view a list of all enabled and disabled agents (accessible via the side panel in the Agentic Assistant menu). An administrator may need to re-enable it to make it visible in your chat again.

Here are some examples of the specialized system agents, each relevant for specific security workflows:

Agent Type	Description
Email Investigation	Automates the full lifecycle of email-borne threat response, spanning mailbox search, forensic collection, analysis, containment, and incident closure across all major mail platforms and security layers.
Help Center	Provides answers to questions by referencing product documentation. If further assistance is needed, the agent assists you in opening a support case.
Network Security	Audits next-gen firewalls for vulnerabilities, expired certificates, outdated software, risky or unused rules, capacity limits, and other misconfigurations. It searches logs for threats and then automates or guides clean-ups and upgrades to keep the network secure.

Safeguards for chat security and control

Cortex Agentic Assistant implements the following safeguards to ensure agent plans and executions are secure, approved, and maintains your control over critical system changes.

Agents are designed to intelligently validate their proposed plans, ensuring that all necessary permissions are in place before any action is taken.
Cortex Agentic Assistant clarifies ambiguous prompt intentions and blocks requests that may be exploitative or harmful, for example, to perform a malicious operation.
For any sensitive actions, agents will always require your explicit approval.
Cortex Agentic Assistant clarifies ambiguous prompt intentions to verify the intention.

Engage with your agent

After choosing an agent, in the chat prompt, type a request using natural language. Be as clear and specific as possible. Submit your request by pressing Enter or clicking the submit arrow. Some agents provide relevant chat conversation starters under the chat prompt.

During a conversation, when an agent is formulating a plan or executing steps, clicking the agent will show which actions it is using. You can scroll between the actions or close the panel.

Tip

If you need to quickly access various product pages within Cortex XDR, type / in the prompt.

Examples

Using chat prompt conversation starters in the Agentic Assistant simplifies and speeds up your interactions by providing pre-defined, common queries that guide you to relevant actions and information.

For example, a SOC analyst may see the following conversation starters under the chat prompt:

What are the top issues I should prioritize today?
Show me all issues with an overdue SLA
Which automations are waiting for my input?

Best practices

To maximize the effectiveness and accuracy of your interactions with Cortex Agentic Assistant, follow these recommended best practices when entering your prompts.

Be clear and specific
Clearly state your objective and provide the necessary context. Instead of "Fix the issue," try "Investigate issue 1234 and isolate any affected hosts on which malware has been identified." Specify exact values, IDs, and relevant details.
Break down complex tasks
For multi-step or intricate processes, break your request into smaller steps within a prompt. This allows the agent to focus, validate each step, and helps guide the flow.
Include key information
Always include relevant incident IDs, indicator values (such as IP addresses and file hashes), or entity names directly in your prompt. The more precise the initial information, the better the agent can leverage its actions and context.
Specify a desired output or action:
If you need a particular type of output (for example, "Summarize the findings," "List all affected assets") or a specific action (for example, "Isolate host X," "Block IP Y on firewall"), explicitly state it. This helps the agent understand your intent beyond just identifying the problem.

View the plan

Cortex Agentic Assistant operates with transparency. The agent's proposed plan or steps for any action are always visible.

Click Plan and expand the chevron to review the detailed breakdown of what the agent intends to do.

Note

An agent's proposed plans and results may contain inaccuracies or errors. Always review the results carefully to ensure you fully understand the proposed action before proceeding.

Navigate long responses

If an agent's response is long, you can easily scroll through it. To jump directly to the last line of a long response, click the anchor icon.

Start fresh

Sometimes, an investigation takes a new direction, or you want to pivot to a different task. You can always open a new conversation or start a new investigation path with a new agent whenever needed, giving you maximum flexibility.

Processing time

While an agent is processing a prompt, you can begin typing a new prompt. However, you can only submit this new prompt once the previous one has completed its processing. For complex actions, the system may indicate that it's taking some time. Be aware that actions exceeding five minutes will result in an error.

Privacy and transparency

Your conversations within the Agentic Assistant chat are private. However, for transparency and auditing purposes, Cortex XDR audit logs record all actions performed by the agents in response to your prompts. This ensures transparency by providing a detailed, traceable record of who initiated an action, what action was taken, and when, without logging the private content of your prompts themselves.

Chat history

Cortex Agentic Assistant helps you keep track of your investigations by organizing your chat history for easy review and continuity.

Your chat history is listed to the left of the prompt, making it simple to navigate past conversations. The chat history is organized by periods: Chats from today, yesterday, the last seven days, and older. To continue a previous investigation or review a past conversation, scroll through the list and click on the chat you wish to resume.

Manage your chats

By default, the first prompt you enter in a new chat becomes its title in the history. To edit the chat title or delete a chat that is no longer relevant, click and select Edit or Delete.