In the modern SOC, every second counts. As adversaries weaponize AI to move from initial access to full impact in as little as 72 minutes, analysts need to be faster than ever when it comes to deciphering cases and their impact on the organization.
Meet your new SOC teammate: the Case Investigation Agent. Accessed via the Cortex Agentic Assistant, the Case Investigation Agent is a context-aware companion that combines deep domain expertise with proprietary intelligence to help your team close cases faster. It acts as your case expert, taking the guesswork out of triage, providing contextual assistance and reasoning through an investigation to tell you exactly what happened and how to fix it.
“Crime-Scene” Reconstruction
When an analyst opens a case, the first question is always: What am I looking at? Each case comes with an AI-generated case summary, providing security analysts with an immediate debrief and helping them quickly grasp the case's scope and set a clear starting point for their investigation. As an investigation evolves, the case context is updated. Each time new data or issues are added, the system regenerates the description to reflect the most current information available.
Operationalizing AI in Your Case Investigation
Once you have an overview of the case from the case summary, you want to expand the scope of the investigation. You can chat with the agent about the case. Some example prompts include:
- "How are these entities related to the case?"
- "Tell me more about these artifacts and indicators identified in this case."
- "Provide a detailed summary of the case."
The Case Investigation Agent doesn’t just answer; it can act. It enables you to efficiently explore, clarify, and gain deeper insights throughout your investigation. This ensures that even the most complex investigations remain manageable, transparent, and highly efficient.
The video below illustrates how an analyst might engage with the Case Investigation Agent.
An analyst is working on a case and needs to learn more about the indicators identified.
She asks the agent to tell him what it knows about the indicators in this case, enrich them, and provide a summary of key findings.
The agent doesn’t just jump to an answer. It reasons through the request and shows exactly how it plans the solution step by step, including the actions and tools it will use.
The agent reviews the case indicators: files, IPs, URLs, and domains. It checks verdicts across connected threat intelligence sources and examines factors such as prevalence, first seen, last seen, and additional context.
It then organizes all the information into a clear summary, showing which indicators actually matter, which ones are malicious, and why.
The analyst gets information she can act on. But she wants to dig a bit deeper. So, she asks the agent to look at past data and identify when these indicators were detected in the system.
The agent goes to the raw data. It builds a query to search the last 30 days of logs for the same indicators. The analyst doesn’t need to know XQL, Cortex’s native query language, to obtain this information; the agent handles it for her.
From here, the analyst can decide how to proceed. She can ask the agent to gather more details on affected assets and asset groups, or she can instruct it to take action, such as isolating a host, disabling an impacted user, or escalating the case.
Case Closed
In the high-stakes world of the modern SOC, the "golden hour" of incident response has shrunk to minutes. The Cortex AgentiX Case Investigation Agent is your tireless partner on the case. From the moment a case is opened, it acts as your digital forensic expert, reconstructing the "crime scene" with AI-driven summaries and translating complex queries into plain English. Whether it’s unmasking a root cause or isolating a compromised host, the agent doesn't just suggest the next move. It helps you make it.
Explore our Case Investigation Agent and other AI innovations in Cortex AgentiX or contact us for a demo today and unlock the full potential of your SOC team!
.