Cortex Copilot capabilities - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

When you ask a question of Cortex Copilot in natural language, the Help Center provides summaries of product documentation together with links to the source articles. When you ask Cortex Copilot questions, a link to Ask the Help Center appears in the Navigate column. A summary of the relevant documentation is displayed along with links to the documentation sources.

The following are sample prompts:

Create an XQL query from the Copilot prompt

Abstract

Use natural language in the Cortex Copilot prompt to generate XQL queries.

You can use natural language prompts in the Cortex Copilot, simplifying the process of creating XQL queries and making it accessible to users without advanced query writing skills. By describing what you need in plain language, the system translates your request into an accurate XQL query, saving time and reducing errors.

1. In the Cortex Copilot, type a prompt for the query you want it to generate.

   For example, <IP address> communications in the last 30 days

   The prompt is sent to the LLM model. The LLM model decides if the required data set is supported and if it can create a query for the submitted prompt. Cortex Copilot then adds the Generate XQL option under the INVESTIGATE section. This may take a few seconds.

   Note

   • Prompts must contain three or more words to trigger the prompt-to-XQL capability. Be as specific as possible to ensure the Cortex Copilot generates an accurate and relevant XQL query. Clear and detailed prompts help the system understand your exact needs, reducing ambiguity and minimizing the chances of incorrect or incomplete results. This saves time and makes your queries more efficient and effective.

   • Currently, the prompt-to-XQL capability supports only the XDR data data set (such as network communications and authentication logs). It does not support general or incident-related queries.

2. Under the INVESTIGATE section, click Generate XQL.

   Cortex Copilot asks the LLM model to create the query.

   Tip

   You can review and provide feedback (thumbs up/down or comments) on the generated queries. Feedback on queries helps refine and improve the Cortex Copilot.

3. Click Run Query to run the query or Open in XQL to edit the query.

Example 10. 

In this example, the following prompt entered in the Cortex Copilot is sent to the LLM model. In this case, the LLM model supports the required data set and can create a query for the submitted prompt. Cortex Copilot then adds the Generate XQL option under the INVESTIGATE section.

After clicking Generate XQL, the Cortex Copilot asks the LLM model to create the query.

Once the query is generated, click Run Query to run the query or Open in XQL to edit the query.

The Cortex Copilot conducts investigations on entities entered in the search bar. It can investigate a range of entities including hosts, users, hashes, domains, IP addresses, and incidents. To initiate an investigation, enter the entity name in the search bar, or ask specific questions about the entity, such as "What are the events related to <entity>?". You can then select from the relevant options displayed in the Investigate column, which includes a comprehensive set of Cortex XQL library queries for conducting investigations. A summary of the entity's details in displayed. For more details, click Show me more.

After entering an entity in the Cortex Copilot search bar, you have the option to take action by selecting one of the suggestions listed in the Respond column. These suggestions encompass a variety of actions, such as running playbooks and scripts, performing scans, and collecting support files.

Cortex Copilot uses Cortex’s role-based access control (RBAC) to control the type of access and actions a user can perform in Cortex XSIAM. Suggestions and responses offered by Cortex Copilot will be customized according to that specific user’s RBAC access. A user with Admin rights can manage user roles that are assigned to Cortex XSIAM users or user groups in Cortex XSIAM by selecting Settings → Configurations → Access Management. For more information on user roles and groups, see Manage user roles and access management.Manage user roles and access management

Use Cortex Copilot to navigate in Cortex XSIAM. You can search in navigation mode in one of the following ways:

Additionally, you can enter multiple search terms and Cortex Copilot will search for pages that include either of the terms (as if there was a logical OR between the words).

By creating a support case directly from Cortex Copilot, you ensure that relevant information is collected for troubleshooting, including tenant details, Cortex XDR agent details, and optionally screen and HAR recording. Cortex Copilot also attaches the last conversation to the support case for increased context.

To submit a support case:

Utilizing Cortex Copilot to open support cases streamlines the process and ensures that key investigation details are retained, facilitating a more efficient and effective resolution of issues.

Support of various Cortex Copilot capabilities depends on the region your tenant is in and how it is classified by Google. The following describes which Cortex Copilot modules are supported in which region type.